Self Assessment

Weekly Intelligence Report – 16 Feb 2024

Published On : 2024-02-15
Share :
Weekly Intelligence Report – 16 Feb 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows

CYFIRMA Research and Advisory Team has found Albabat ransomware in the wild while monitoring various underground forums as part of our Threat Discovery Process.

Albabat Ransomware
Albabat, also recognized as White Bat is a financially motivated ransomware variant coded in Rust. It made its debut in November 2023 with the initial variant, Version 0.1.0. Subsequently, Version 0.3.0 was introduced in late December, followed by Version 0.3.3 in mid-January 2024.
The ransomware appears to be distributed as rogue software, like a fake Windows 10 activation tool or a cheat program for the game Counter-Strike 2.

The ransomware samples were submitted to a publicly available file scanning service, and it appears to be primarily targeting companies and individuals in Argentina, Brazil, the Czech Republic, Germany, Hungary, Kazakhstan, Russia, and the United States. However, since it masquerades as fake software, the ransomware has the potential to impact anyone.

Once the ransomware is executed, it looks for files to encrypt. It avoids encrypting the following file types:

(Source: Surface web)

In versions 0.3.0 and 0.3.3, specific file types listed below are exempted from encryption:

Note that the file types highlighted in light green are excluded in version 0.3.0. The file types highlighted in light yellow are additional files excluded in version 0.3.3.(Source: Surface web)

The Albabat ransomware appends a “.abbt” file extension to the files it encrypts. Additionally, the ransomware swaps out the desktop wallpaper with its own and creates the “README.html” file (a ransom note).

Screenshot of files encrypted by Albabat ransomware (Source: Surface Web)

Desktop wallpaper replaced by the Albabat ransomware version 0.3.0 (Source: Surface Web).

The wallpaper displayed by the Albabat ransomware asserts compatibility with both Windows and Linux platforms. However, researchers haven’t found any Linux samples yet. Considering that the ransomware is coded in the Rust language, which allows for cross- compilation across different operating systems, there is a possibility that a Linux version might be released in the future.

In Version 0.1.0, the ransomware attempts to terminate Chrome.exe. Starting from Version 0.3.0 onwards, it also makes efforts to terminate the following additional processes:

(Source: Surface web)

Version 0.3.0 and later also stops the following services:

(Source: Surface web)

Beginning with version 0.3.0, the ransomware might engage in theft from or alteration of the following files:

(Source: Surface web)

After completing the encryption process, the ransomware deposits the following files:

Version 0.1.0

  • %USERPROFILE%\Albabat\Albabat.ekey
  • %USERPROFILE%\Albabat\Albabat.log
  • %USERPROFILE%\Albabat\README.html
  • %USERPROFILE%\Albabat\wallpaper_albabat.jpg
  • %USERPROFILE%\Albabat\www\banner.jpg
  • %USERPROFILE%\Albabat\www\faq.html
  • %USERPROFILE%\Albabat\www\script.js
  • %USERPROFILE%\Albabat\www\style.css

Version 0.3.0

  • %USERPROFILE%\Albabat\Albabat.ekey
  • %USERPROFILE%\Albabat\Albabat_Logs.log
  • %USERPROFILE%\Albabat\personal_id.txt
  • %USERPROFILE%\Albabat\wallpaper_albabat.jpg
  • %USERPROFILE%Albabat\readme\README.html
  • %USERPROFILE%Albabat\readme\assets\style.css
  • %USERPROFILE%Albabat\readme\assets\script.js
  • %USERPROFILE%Albabat\readme\assets\banner.jpg
  • %USERPROFILE%Albabat\readme\pages\faq.html

Version 0.3.3

  • %USERPROFILE%\Albabat\Albabat.ekey
  • %USERPROFILE%\Albabat\credits.txt
  • %USERPROFILE%\Albabat\Encryption_DBG.log
  • %USERPROFILE%\Albabat\personal_id.txt
  • %USERPROFILE%\Albabat\wallpaper_albabat.jpg
  • %USERPROFILE%\Albabat\readme\README.html
  • %USERPROFILE%\Albabat\assets\banner.jpg
  • %USERPROFILE%\Albabat\assets\script.js
  • %USERPROFILE%\Albabat\assets\style.css
  • %USERPROFILE%\Albabat\pages\faq.html

Recent Ransom note (Source: Surface web)

The ransom note features a translation option utilizing the Google Translate service, facilitating translation into over 100 languages. When opting for translation, Portuguese is automatically chosen, suggesting that this may be the primary language of the ransomware developer.

Relevancy & Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • The ransomware deletes all Volume Shadow Copies, hindering data recovery options. This increases the difficulty of restoring files from previous states, making data recovery more challenging for affected users.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
T1106: Native API
T1569.002: System Services: Service Execution
2 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
3 TA0004: Privilege Escalation T1543.003: Create or Modify System Process: Windows Service
4 TA0005: Defense Evasion T1006: Direct Volume Access
T1027: Obfuscated Files or Information
T1036: Masquerading
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1202: Indirect Command Execution
T1222: File and Directory Permissions Modification
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.003: Hide Artifacts: Hidden Window
5 TA0006: Credential Access T1003: OS Credential Dumping
6 TA0007: Discovery T1012: Query Registry
T1082: System Information Discovery
T1083: File and Directory Discovery
7 TA0009: Collection T1005: Data from Local System
T1119: Automated Collection
T1560: Archive Collected Data
8 TA0011: Command and Control T1071: Application Layer Protocol
T1090: Proxy
T1095: Non-Application Layer Protocol
T1573: Encrypted Channel
9 TA0040: Impact T1485: Data Destruction
T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery
T1491: Defacement

ETLM Assessment:
CYFIRMA’s assessment, based on available information, suggests that Albabat ransomware is likely to evolve further, with potential releases targeting additional countries. As the ransomware is written in Rust and capable of cross-compilation, the threat to Linux systems may increase. Continuous improvements in evasion techniques and enhanced functionalities are expected. Organizations should prioritize robust cybersecurity measures and regular threat intelligence updates to mitigate the risk of falling victim to such attacks.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Sigma Rule
title: Shadow Copies Deletion Using Operating Systems Utilities
– attack.defense_evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘diskshadow.exe’ selection1_cli:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Trojan
Objective: Espionage, Data theft
Threat Actor: Roaming Mantis (aka Shaoye)
Target Technology: Android OS
Target Geographies: Japan, South Korea, France, Germany, India

Active Malware of the Week
This week “MoqHao (aka Wroba, XLoader)” is trending.

The MoqHao malware family, which has existing for several years, continues to evolve with increasingly sophisticated tactics to elude detection and target users. Notably, there is a surge in the number of C2 commands compared to previous versions, along with the utilization of legitimate platforms like Pinterest for storing and updating phishing data. The code exhibits potential targeting of Asian countries such as Japan and South Korea, as well as countries like France, Germany, and India. The latest variant is anticipated to have a significant impact as it infects devices upon installation without requiring user execution.

MoqHao, also known as Wroba and XLoader (not to be confused with the Windows and macOS malware of the same name), is an Android-based mobile threat associated with the financially motivated Chinese cluster known as Roaming Mantis (aka Shaoye). Initially detected in 2015, MoqHao has a history of targeting Asian countries, specifically Korea and Japan. Researchers have identified a new version of the MoqHao Android malware linked to the Roaming Mantis threat actor group. Traditionally, users were required to install and launch the malicious app to initiate its activities. However, this new variant employs a dangerous technique where malicious activity starts automatically upon installation, without the need for user execution. The distribution method remains consistent, involving sending a link via SMS to download the malicious app. Notably, this technique, previously introduced, is now being exploited by other active malware campaigns, expanding the threat beyond MoqHao.

Attack Method
MoqHao is distributed through phishing SMS messages, commonly referred to as Smishing. When a user receives a message containing a malicious link and clicks on it, the device downloads the malicious application.

Fig: Smishing message impersonating a notification from a courier service.

A notable change in their approach is the use of URL shortener services. Unlike using their own domain, which can be easily blocked, employing legitimate URL shorteners poses a challenge, as blocking the short domain may impact all URLs associated with that service. When a user clicks on the link in the message, the URL shortener service redirects them to the actual malicious site.

This variant of MoqHao differs from previous versions in its behavior. While typical MoqHao requires manual launch by the user after installation, this variant automatically initiates upon installation without requiring user interaction.

Fig: Differences between typical MoqHao and Modern MoqHao

Android is structured to check for the uniqueness of a specific value used by an app upon installation. MoqHao, a highly active Trojan family, exploits this feature to auto-execute itself without requiring user interaction. This recent variant of MoqHao involves distribution, installation, and auto-execution.

This recent MoqHao variant employs a new approach in using Unicode strings in app names, resulting in certain characters appearing bold and visually resembling “Chrome.” This technique poses a challenge to app name-based detection methods that rely on comparing app names (such as “Chrome”) with package names (like

Fig: App name using Unicode strings.

Furthermore, the attackers employ social engineering techniques to designate malicious apps as the default SMS app. Prior to the appearance of the settings window, a deceptive message prompts users to set up the app under the guise of preventing spam, even though the message is fraudulent.

Fig: Fake message using social engineering techniques.

The varied languages used in the text related to this behavior indicate that, apart from Japan, the attackers are also targeting South Korea, France, Germany, and India.

Fig: Fake messages designed to target different countries.

Once the malware initialization process is finished, it establishes a notification channel for the purpose of displaying phishing messages.

Fig: Create a notification channel for the next phishing attack.

The malware assesses the device’s carrier and utilizes notifications tailored to send phishing messages, deceiving users into clicking on them. MoqHao retrieves both the phishing message and URL from Pinterest profiles.

Fig: Phishing message and URL in Pinterest profile

In cases where the phishing string is empty, MoqHao resorts to using the phishing message present in the code.

Fig: Phishing notification code for each carrier

This variant of the malware establishes a connection to the C2 server through WebSocket. It has been verified that, along with the commands from previous versions, several additional commands have been incorporated.

Fig: Updated Commands list


  • MoqHao and Roaming Mantis are sophisticated threats in the Android malware domain, illustrating the adversaries’ adeptness at adapting tactics. MoqHao’s innovative auto-execution techniques pose a challenge to conventional security measures. Despite these innovations, the distribution method remains consistent, utilizing SMS messages to send links to download the malicious app.
  • The MoqHao malware has evolved its tactics by employing URL shorteners to conceal links in SMS messages, enhancing the potential success of its attacks. Furthermore, the use of content extracted from fraudulent Pinterest profiles indicates a sophisticated integration of social engineering techniques. This enhances the malware’s stealth and potential impact, positioning MoqHao as a notable threat in the cybersecurity landscape.
  • The MoqHao malware family exhibits a continual evolution in its tactics, employing diverse methods to hide and reach users. Notably, the use of WebSocket for C2 communication showcases its commitment to adopting new techniques for evasion. The latest variant introduces an innovative infection method, automatically initiating malicious activities upon installation without user execution.

From the ETLM perspective, CYFIRMA anticipates that in today’s interconnected digital landscape, the threat of cyber smishing and scams has become a significant concern. This diversity in target regions underscores the malware’s global impact and its capability to adjust its focus based on geopolitical considerations. However, there is a potential for malware, including sophisticated campaigns like MoqHao and Roaming Mantis, to introduce new features in the future, expanding their target base beyond current limits. The risk of similar attacks to the ones implemented by MoqHao and Roaming Mantis is likely to increase, emphasizing the importance of proactive cybersecurity measures.

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

Security Awareness training should be mandated for all company employees. The training should ensure that employees:

  • Avoid downloading and executing files from unverified sources.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enable network traffic/security monitoring, security incident detection, notification, and alerting by leveraging SIEM solutions.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –BianLian Ransomware | Malware – MoqHao
  • BianLian Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – MoqHao
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Unraveling the Complex Tactics of a Cyber-Espionage Campaign: The Intricacies of the Zardoor Malware

  • Threat Actors: Unknown
  • Attack Type: Malware Implant
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Saudi Arabia
  • Target Industries: NGO
  • Business Impact: Data Loss, Data exfiltration

A sophisticated cyber-espionage campaign has been targeting an Islamic charitable organization in Saudi Arabia, utilizing a newly discovered backdoor malware called Zardoor. The attackers, deemed advanced by researchers, have been active since at least May 2023 demonstrating expertise in creating new malware, customizing open- source tools, and employing living-off-the-land techniques to evade detection.

The primary motive behind the campaign appears to be intelligence gathering, as evidenced by the periodic exfiltration of data from the targeted Islamic charitable non- profit organization. The primary target of the espionage campaign is an unnamed Islamic charitable non-profit organization based in Saudi Arabia. This indicates a focus on entities operating within the Middle East region, particularly those associated with Islamic causes or humanitarian efforts. The targeted industry encompasses charitable and non-profit organizations.

The cyber-espionage campaign initiated through an undisclosed method, with the threat actor leveraging the Zardoor backdoor malware to establish persistent access within the targeted organization’s network. To orchestrate their command-and-control framework, they adeptly repurposed open-source reverse proxy tools like Fast Reverse Proxy (FRP), sSocks, and Venom. Their customization efforts, particularly with sSocks, involved eliminating dependencies on Visual C Runtime libraries, ensuring smooth execution without encountering runtime errors. Utilizing Windows Management Instrumentation (WMI) for lateral movement and remote command execution, the threat actor deployed backdoors such as zar32.dll and zor32.dll is the main backdoor component that communicates with the attacker’s C2 and sustaining access.

Additionally, they utilized various tactics, including system service manipulation and scheduled task creation, to ensure prolonged persistence. Notably, they manipulated scheduled tasks to register their reverse proxies, enabling communication with their command and control (C2) servers every 20 minutes. This included replacing existing tasks named “KasperskySecurity” or “Microsoft Security Essentialss” with a new task named “msbuildss.exe” for the proxy. Furthermore, researchers observed the threat actor storing the remote server’s public key, facilitating access to SSH servers for remote port forwarding. This enhancement allowed external servers and devices to access resources within the private network, significantly bolstering the threat actor’s remote access capabilities.

Relevancy & Insights:
The emergence of an unknown threat actor utilizing open-source tools and developing new malware underscores the evolving landscape of cybersecurity threats. With low confidence in attributing their actions to existing groups, the utilization of common tools highlights the challenge of distinguishing between different threat actors. Moreover, their development of new malware highlights the continuous arms race between attackers and defenders, emphasizing the need for vigilant cybersecurity measures to detect and mitigate emerging threats effectively.

ETLM Assessment:
An unknown threat actor is carrying out a sustained cyber espionage campaign targeting an Islamic organization, notably focusing on a non-profit entity in Saudi Arabia. The motivation behind this targeting could be linked to geopolitical interests, potentially aimed at disrupting religious beliefs and sowing chaos. The operation includes the deployment of undisclosed malware backdoors, leading to significant compromises and data breaches. Enforcing strict policies on resource usage is vital to effectively mitigate these threats. Moreover, it is imperative to emphasize the importance of vigilant management of the external threat landscape to defend against evolving cyber threats and potential collaboration among sophisticated adversaries.


  • Deploy advanced security solutions capable of detecting and blocking new and unknown malware families like the Zardoor backdoor.
  • Enforce strict policies regarding the use of company resources to prevent unauthorized access and exploitation by threat actors.
  • Prioritize external threat landscape management through regular security assessments and threat intelligence sharing.
  • Implement ongoing employee training on cybersecurity awareness to enhance overall defence capabilities against evolving threats.
  • Collaborate with industry peers and cybersecurity experts to stay informed about emerging cyber threats and potential collaborative efforts from sophisticated adversaries.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Five Eyes publish report on Volt Typhoon
The US Cybersecurity and Infrastructure Security Agency (CISA), NSA, FBI, and the
cybersecurity directorates of Australia, Canada, New Zealand, and the UK have published a joint advisory outlining the Chinese state-sponsored threat actor Volt Typhoon’s operations against US critical infrastructure.

According to the advisory, the U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations – primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors – in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behaviour is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. The US agencies note that the threat actor has been “maintaining access and footholds within some victim IT environments for at least five years.”

The Canadian Centre for Cyber Security assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.

ETLM Assessment:
Last year, Volt Typhoon and other APTs like Mustang Panda have been focused on countries surrounding the South China Sea, where China presses territorial claims on countries like the Philippines, Vietnam or Indonesia, as well as on the United States, with which China is in conflict over primacy in the region and global affairs as a whole. Guam; a US territory in the Western Pacific that is home to significant US military bases, has allegedly been targeted. Chinese hackers have been lately mainly focusing on the defense industrial base, successfully compromising the networks of contractors to the Pentagon’s U.S. Transportation Command, 20 times in a single year, while many other incursions have probably never been found. As we have warned in an earlier report, given the increasingly assertive Chinese posturing, it was likely that Beijing’s hackers were trying to position themselves in a way it could try to paralyze U.S. critical infrastructure in case of an eruption of conflict between the two countries over the issue of Taiwanese or Philippine waters. An attempt to induce societal panic in their adversary in case of conflict is an inherent part of Chinese military doctrine and targeting of critical infrastructure in Guam could affect U.S. military operations in significant way.

Iran refines cyber operations against Israel, US sanctions Iranian cyber officials
According to researchers, Iran has accelerated its cyber operations against Israel over the course of the Israel-Hamas war. In the immediate aftermath of the October 7 Hamas attack on Israel and the subsequent war, most of Iran’s immediate operations were hasty and chaotic. However, Iran has achieved growing success. Despite early Iranian claims, many ‘attacks’ in the early days of the war were either ‘leaking’ old material, using pre-existing access to networks or were false. However, Iran’s activity quickly grew from 9 groups, monitored by researchers and active in Israel during the first week of the war to 14, just weeks into the war. Cyber-enabled influence operations went from roughly one operation every other month in 2021 to 11 in October 2023 alone. The cyber campaign entails an almost 50% increase in traffic, in the first week of the war, to news sites run by or affiliated to the Iranian state.

ETLM Assessment:
As the war progresses, Iranian actors are expanding their geographic scope to include attacks on Albania, Bahrain and the USA. They also increased their collaboration, enabling greater specialization and effectiveness. In response, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) recently announced sanctions against six Iranian officials from the Islamic Revolutionary Guard Corps Cyber- Electronic Command (IRGC-CEC) for their role in cyber-attacks on U.S. soil. The officials, members of the hacker group Cyber Av3ngers, disabled Unitronics programmable logic controllers (PLC) at a booster station operated by the Municipal Water Authority of Aliquippa, Pennsylvania in the attack. PLCs control pumps and valves in U.S. water and wastewater infrastructure and have been exploited in past destructive cyberattacks. The hackers appear to have targeted the PLCs because Unitronics is an Israeli company. The group also targeted ten water treatment stations in Israel around the time of its attack on Aliquippa. The new sanctions will prohibit companies that want to operate in the United States from conducting business with the six named Iranian officials.

Rise in Malware/Ransomware and Phishing

The BianLian Ransomware impacts the J.P. Original

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: The United States of America
  • Ransomware: BianLian Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United States of America; (www[.]jpo[.]com), was compromised by the BianLian Ransomware. J.P. Original; makers of the popular labels Bamboo, Anne Michelle, Sunny Feet, Society 86, and Dollhouse, is one of the leading shoe manufacturers in the marketplace since 1986. The compromised data includes financial data, HR data, clients’ and partners’ data, business data, design images, mailboxes, internal and external email correspondence, and other confidential information. The total size of the compromised data is approximately 1.2 terabytes (TB).

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • We have recently noted a collaboration between the BianLian, White Rabbit, and Mario ransomware groups in a unified extortion campaign. Their joint efforts are specifically directed towards publicly traded financial services firms.
  • BianLian ransomware operators usually leverage email spam, malicious attachments, fake downloads, and drive-by downloads as initial infection vectors and use double extortion in their attacks to extort the ransom.
  • The BianLian Ransomware group primarily targets countries such as the United States of America, the United Kingdom, Canada, India, and Singapore.
  • The BianLian Ransomware group primarily targets industries including Business Support Services, Health Care Providers, Heavy Construction, Computer Services, and Industrial Machinery.
  • Based on the BianLian Ransomware victims list from 1 Jan 2023 to 14 Feb 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by BianLian Ransomware from 1 Jan 2023 to 14 Feb 2024 are as follows:

ETLM Assessment:
BianLian; a ransomware strain developed in GoLang, persistently infiltrates various industries, demanding substantial ransom payments. Employing the double extortion strategy, threat actors pilfer an organization’s files and threaten to leak them online if the ransom is not promptly paid. BianLian gains entry to victim systems through valid Remote Desktop Protocol (RDP) credentials, utilizing open-source tools and command-line scripting for discovery and credential harvesting. The exfiltration of victim data is executed via File Transfer Protocol (FTP), Rclone, or Mega. CYFIRMA’s assessment indicates that BianLian Ransomware will continue its focus on global businesses and related entities, holding significant amounts of Personally Identifiable Information (PII), financial data, or other sensitive information. Nevertheless, the recent attack on J.P. Original underscores the substantial risks posed by BianLian Ransomware to companies in advanced economies.

Vulnerabilities and Exploits

Vulnerability in Liferay Portal and Liferay DXP

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Content management system
  • Vulnerability: CVE-2024-25148 (CVSS Base Score 5.4)
  • Vulnerability Type : Improper access control
  • Patch: Available

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

Relevancy & Insights:
The vulnerability exists due to improper access restrictions in the “doAsUserId” URL parameter.

Impact :
A remote user can impersonate a user after accessing the linked content. Affected Products: https[:]//liferay[.]dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25148

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

Black Basta claims ransomware attack on Hyundai Motor Europe

  • Threat Actors: Black Basta
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Europe
  • Target Industry: Manufacturing
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Black Basta ransomware gang claims the hack of the car maker; Hyundai Motor Europe, and the theft of three terabytes of their data. In January the company experienced IT issues, the ransomware attack likely caused the outage, The crooks provided evidence of the data breach, it seems that the gang stole data from various departments, including legal, sales, and human resources. The carmaker launched an investigation into the incident with the help of external cybersecurity and legal experts.

Relevancy & Insights:
Since April 2022, the Black Basta ransomware group has remained active, employing a double-extortion attack model common to other ransomware operations. This malicious entity utilizes various deployment methods, including the use of Cobalt Strike or similar frameworks, as well as leveraging email phishing techniques. Notably, Black Basta is frequently introduced as a secondary infection, with instances observed following a Qakbot infection, underscoring the sophistication and adaptability of its attack vectors.

ETLM Assessment:
Black Basta; a ransomware group that operates primarily in the Russian-speaking domain, has gained notoriety for its attacks on various industries. This malicious group, known for deploying the Black Basta ransomware, has demonstrated a propensity to target a diverse array of sectors, including healthcare, government, financial services, education, and media. According to assessments by CYFIRMA, there is a significant likelihood that Black Basta will persist in its efforts to compromise companies on a global scale, aiming to secure substantial financial gains through their ransomware activities.

Data Leaks

OpenSea Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Software
  • Target Geography: The United States of America
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data sale related to OpenSea, {www[.]opensea[.]io}. OpenSea is the first peer-to-peer marketplace for blockchain- based assets, which include collectibles, gaming items, digital art, domain names, event tickets, and physical assets backed by a blockchain. The data available for purchase includes email addresses, subscriber registration dates, and various other confidential details. The asking price for this dataset is 2,000 USD.

Source: Underground forums

Relevancy & Insights:
Financially motivated cybercriminals systematically monitor unprotected and vulnerable systems and applications, enticed by the prospect of monetary rewards. Many of these perpetrators actively engage in clandestine online forums, participating in discussions and transactions centred around pilfered digital assets. What sets these cybercriminals apart from other groups motivated by financial gains, such as ransomware or extortion groups, is their preference for operating discreetly. They leverage vulnerabilities in systems or applications to access valuable data, which is later advertised for sale on underground forums. Consequently, this unlawfully obtained data is repurposed by other attackers for their campaigns.

ETLM Assessment:
Bossmoves90004 is an emerging threat actor motivated primarily by financial gains, and they are presently involved in actively trading Open Sea data within illicit online forums. According to CYFIRMA’s assessment, U.S. institutions lacking robust security measures and infrastructure are likely to encounter an increased risk of potential cyberattacks from this threat actor.

Other Observations

CYFIRMA Research team observed a potential data leak related to “Primo Taglio”, {www[.]primotaglio[.]it}. “Primo Taglio” is a renowned Italian online marketplace dedicated to offering a wide selection of premium, Made in Italy food products. The compromised data includes sensitive details such as ID numbers, first and last names, email addresses, passwords, account activation status, birth dates, genders, newsletter subscription status, company affiliations, VAT numbers, timestamps, and anticipatory identification numbers.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.