CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware.
Target Technologies: MS Windows.
Introduction
CYFIRMA Research and Advisory Team has found Knight ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Relevancy:
This ransomware targets the Windows Operating system commonly used by many organizations of various industries.
Knight ransomware:
By the close of July, Cyclops a Ransomware-as-a-Service provider underwent a rebranding and emerged as Knight. Alongside this change, they introduced modifications to the lite encryptor, enabling ‘batch distribution,’ and initiated a fresh data leak site.
The researcher detected a spam campaign disguising itself as TripAdvisor complaints, but its underlying intent is to distribute the Knight ransomware. The researcher found that the emails contain ZIP file attachments named ‘TripAdvisorComplaint.zip,’ within which lies an executable file named ‘TripAdvisor Complaint – Possible Suspension.exe.’
A more recent iteration of this campaign was identified and analyzed recently. This version involves an HTML attachment named ‘TripAdvisor-Complaint-[random].PDF.htm.’
Upon opening the HTML file, it employs Mr. D0x’s Browser-in-the-Browser phishing method, creating an apparent browser window resembling TripAdvisor’s interface. This deceptive browser simulation prompts the user to review a restaurant complaint. Yet, clicking the ‘Read Complaint’ button initiates the download of an Excel XLL file named ‘TripAdvisor_Complaint-Possible-Suspension.xll.’ The XLL file is generated using Excel-DNA, a tool that integrates .NET functionality into Microsoft Excel to execute malware upon opening.
When the XLL is accessed, Microsoft Excel identifies the Mark of the Web (MoTW) typically associated with internet-downloaded and emailed files. If the MoTW is detected, the .NET add-in within the Excel document won’t activate, thwarting the attack unless manually unblocked by the user.
However, in the absence of the MoTW flag, Excel prompts the user to decide whether they wish to enable the add-in. Enabling the add-in triggers the injection of the Knight Lite ransomware encryptor into a new explorer.exe process, initiating the encryption of computer’s files.
During the encryption process, the names of encrypted files will have the .knight_l extension appended, with the ‘l’ presumably representing ‘lite.’ The ransomware will also create a ransom note named How To Restore Your Files.txt in each folder on the computer. The ransom note in this campaign demands $5,000 be sent to a listed Bitcoin address and contains a link to the Knight Tor site.
Screenshot of files encrypted by Knight Ransomware (source: surface web)
Knight Ransomware Note (source: surface web)
Insights:
Following are the TTPs based on MITRE Attack Framework.
| Sr. No | Tactics | Techniques/Sub-Techniques |
| 1 | TA0001: Initial Access | T1566: Phishing |
| 2 | TA0002: Execution | T1059: Command and Scripting Interpreter |
| T1129: Shared Modules | ||
| 3 | TA0003: Persistence | T1574.002: Hijack Execution Flow: DLL Side-Loading |
| 4 | TA0004: Privilege Escalation | T1574.002: Hijack Execution Flow: DLL Side-Loading |
| T1055: Process Injection | ||
| 5 | TA0005: Defense Evasion | T1027: Obfuscated Files or Information |
| T1036: Masquerading | ||
| T1055: Process Injection | ||
| T1112: Modify Registry | ||
| T1497.002: Virtualization/Sandbox Evasion: User Activity Based Checks | ||
| T1564.003: Hide Artifacts: Hidden Window | ||
| T1574.002: Hijack Execution Flow: DLL Side-Loading | ||
| 6 | TA0006: Credential Access | T1056.001: Input Capture: Keylogging |
| 7 | TA0007: Discovery | T1010: Application Window Discovery |
| T1012: Query Registry | ||
| T1018: Remote System Discovery | ||
| T1057: Process Discovery | ||
| T1082: System Information Discovery | ||
| T1083: File and Directory Discovery | ||
| T1497.002: Virtualization/Sandbox Evasion: User Activity Based Checks | ||
| T1518.001: Software Discovery: Security Software Discovery | ||
| T1614: System Location Discovery | ||
| T1614.001: System Location Discovery: System Language Discovery | ||
| 8 | TA0009: Collection | T1056.001: Input Capture: Keylogging |
| T1113: Screen Capture | ||
| T1115: Clipboard Data | ||
| 9 | TA0011: Command and Control | T1071: Application Layer Protocol |
| T1090: Proxy | ||
| T1095: Non-Application Layer Protocol | ||
| T1573: Encrypted Channel | ||
| 10 | TA0040: Impact | T1486: Data Encrypted for Impact |
Sigma Rule:
title: Creation of an Executable by an Executable
tags:
– attack.resource_development
– attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: ‘.exe’
TargetFilename|endswith: ‘.exe’
filter_whitelist:
Image:
– ‘C:\Windows\System32\msiexec.exe’
– ‘C:\Windows\system32\cleanmgr.exe’
– ‘C:\Windows\explorer.exe’
– ‘C:\WINDOWS\system32\dxgiadaptercache.exe’
– ‘C:\WINDOWS\system32\Dism.exe’
– ‘C:\Windows\System32\wuauclt.exe’
filter_update:
# Security_UserID: S-1-5-18
# Example:
# TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe
Image: ‘C:\WINDOWS\system32\svchost.exe’
TargetFilename|startswith: ‘C:\Windows\SoftwareDistribution\Download\’
filter_upgrade:
Image: ‘C:\Windows\system32\svchost.exe’
TargetFilename|contains|all:
# Example:
# This example was seen during windows upgrade
# TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe
– ‘:\WUDownloadCache\’
– ‘\WindowsUpdateBox.exe’
filter_windows_update_box:
# This FP was seen during Windows Upgrade
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv
Image|startswith: ‘C:\WINDOWS\SoftwareDistribution\Download\’
Image|endswith: ‘\WindowsUpdateBox.Exe’
TargetFilename|startswith: ‘C:\$WINDOWS.~BT\Sources\’
filter_tiworker:
Image|startswith: ‘C:\Windows\WinSxS\’
Image|endswith: ‘\TiWorker.exe’
filter_programfiles:
– Image|startswith:
– ‘C:\Program Files\’
– ‘C:\Program Files (x86)\’
– TargetFilename|startswith:
– ‘C:\Program Files\’
– ‘C:\Program Files (x86)\’
filter_defender:
Image|startswith:
– ‘C:\ProgramData\Microsoft\Windows Defender\’
– ‘C:\Program Files\Windows Defender\’
filter_windows_apps:
TargetFilename|contains: ‘\Microsoft\WindowsApps\’
filter_teams:
Image|endswith: ‘\AppData\Local\Microsoft\Teams\Update.exe’
TargetFilename|endswith:
– ‘\AppData\Local\Microsoft\Teams\stage\Teams.exe’
– ‘\AppData\Local\Microsoft\Teams\stage\Squirrel.exe’
– ‘\AppData\Local\Microsoft\SquirrelTemp\tempb\’
filter_mscorsvw:
# Example:
# ParentCommandLine: “C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe” ExecuteQueuedItems /LegacyServiceBehavior
# Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe
Image|startswith: ‘C:\Windows\Microsoft.NET\Framework\’
Image|endswith: ‘\mscorsvw.exe’
TargetFilename|startswith: ‘C:\Windows\assembly\NativeImages_’
filter_vscode:
Image|contains: ‘\AppData\Local\’
Image|endswith: ‘\Microsoft VS Code\Code.exe’
TargetFilename|contains: ‘\.vscode\extensions\’
filter_githubdesktop:
Image|endswith: ‘\AppData\Local\GitHubDesktop\Update.exe’
# Example TargetFileName:
# \AppData\Local\SquirrelTemp\tempb\lib\net45\GitHubDesktop_ExecutionStub.exe
# \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe
TargetFilename|contains: ‘\AppData\Local\SquirrelTemp\’
filter_windows_temp:
TargetFilename|startswith: ‘C:\WINDOWS\TEMP\’
condition: selection and not 1 of filter_*
falsepositives:
#Please contribute to FP to increase the level
– Software installers
– Update utilities
– 32bit applications launching their 64bit versions
level: low
(Source: Surface Web)
Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.
Type: Remote Access Trojan (RAT)
Objective: Steal Sensitive Information, Remote Access
Target Geographies: Thailand, Indonesia, Vietnam, Philippines, Peru
Target Industries: Financial Institutions, Banks, and Government.
Target Technology: Android OS
Active Malware of the Week
This week “Gigabud” is trending.
Gigabud
Researchers have discovered a new malware called Gigabud RAT that has a unique characteristic of not initiating any malicious actions until a user is authorized into the malicious application by a fraudster, making it difficult to detect. Unlike using HTML overlay attacks, this malware primarily collects sensitive information by recording the screen.
Additionally, a related variant of this malware, named Gigabud.Loan, which does not have Remote Access Trojan (RAT) capabilities, has been found. Gigabud.Loan masquerades as a fake loan application, tricking users into sharing their input data. Both Gigabud RAT and Gigabud.Loan hxave the same architecture and certificate, implying they belong to the same malware family. Since July 2022, Gigabud.Loan has been masquerading as applications of fictional financial institutions from Thailand, Indonesia, and Peru.
Attack Strategy
Both the Gigabud.Loan and Gigabud.RAT malware spread through phishing websites across countries such as Thailand, Indonesia, Vietnam, the Philippines, and Peru. The malware is delivered to victims through methods like smishing (via instant messengers, SMS, or social networks), urging them to visit phishing websites under the guise of tax audits and refunds. These sites lead to the download of malicious Android applications masquerading as official government and financial institution apps. These applications are hosted on consonant domains.
Gigabud.Loan employs direct APK file delivery through instant messengers. Android devices allow users to install apps from third-party sources except for official app stores. These devices generally prevent app installation from unknown sources, but the “REQUEST_INSTALL_PACKAGES” permission, considered high-risk, allows malware to bypass this restriction. This permission allows apps to bypass the “Install from Unknown Sources” setting and allow APK installations outside the Google Play Store. Victims are deceived into granting this permission, enabling the installation of malicious APKs.
Gigabud.RAT and Gigabud.Loan are alike in how they spread, but they do different things once they’re on a device. Let’s take a closer look at those differences.
Gigabud.RAT
The Gigabud.RAT trojan disguises itself as legitimate apps, like those from financial institution and governments. It uses techniques like capturing screens and logging keystrokes to steal sensitive information like passwords. Additionally, it can bypass authentication and 2nd factors, replace bank card numbers in clipboards, and perform automated payments through the victim’s device remote access.
When the user opens the fraudulent Gigabud trojan, it pretends to be a real app and shows a login screen. After the user enters their login details, Gigabud asks for two 6-digit codes. This makes it harder for researchers to analyze and makes users think it’s a real app. Then, Gigabud shows a fake “Activation” page with a button that leads to a “Permission Request” page. The number of options on this page varies depending on the version.They are primarily used for:
After the user gives these permissions, Gigabud is able to carry out its malicious actions. Once all the required permissions are given, the trojan displays a “Wait” page with an endless loading animation and the message “Please Wait for Information.”
Screen Capture- Screen capturing serves both legitimate software applications and malware purposes. Legitimate uses involve apps for recording screens, remote access, and productivity, aiding tasks from content creation to troubleshooting and remote support. Such apps use Android’s mechanisms, like virtual displays and the MediaProjection API. However, this same feature is also exploited by malware to steal sensitive user information, such as login credentials and personal data.
Accessibility Service to perform gestures- Accessibility services on Android are designed to help users with disabilities by improving how they interact with their devices. Accessibility services provide enhanced functionalities and modifications to the user interface, allowing individuals with visual, auditory, physical, or cognitive impairments to navigate, interact, and utilize their Android devices more easily. These services offer features like screen reading, gesture controls, and speech-to-text, aiding those with impairments. They promote inclusivity and independence.
However, some malware, including banking trojans like Gustuff and Gigabud, exploit these services for harmful purposes. In Gigabud’s case, it uses an accessibility service feature called TouchAction to gain remote access to a victim’s device. This allows the attacker to perform actions on the device, potentially bypassing defenses and even making automated payments from the victim’s device. As a result, devices with accessibility services are considered suspicious from an anti-fraud perspective.
Accessibility Service as a keylogger – Recent versions of Gigabud malware include a keylogging module that misuses accessibility services. This module is intended to customize the password-stealing process for various banking apps. While currently, only one banking app is targeted by this module, it’s suspected that more modules will be added to steal data from other banking apps. This keylogger feature uses accessibility services.
Gigabud.Loan
Gigabud.Loan is a variant of Gigabud malware that imitates a fake loan service and has no RAT Capabilities. It tricks users by pretending to be a non-existent financial institution and gathers personal details like full name, identity number, national identity document photo, digital signature, education, income information, bank card information, and phone number to obtain a loan.
This scam involves fraudsters posing as lenders and requesting money or personal information from victims. They use deceptive tactics like unsolicited emails or phone calls to convince victims to provide sensitive data or pay upfront fees. In a typical fake loan request fraud scenario, the fraudster may ask victims to pay upfront fees or provide personal information, such as bank account numbers or social security numbers, to process the loan application. They may promise low interest rates or guaranteed approval to entice victims into sending money or providing sensitive information. However, once the victims take action, the scammers disappear, and the victims are left without a loan and may suffer financial losses.
INSIGHTS
Key Intelligence Signals:
APT29 Exploits Duke Malware in Recent NATO Government Espionage Campaign
Summary:
In a recent observation, a Russian-sponsored Advanced persistent group named APT29 group has recently undertaken cyber espionage against NATO government agencies. APT29 believed to be guided by Russia’s Foreign Intelligence Service (SVR), primarily targets governments, political groups, research institutions, and critical sectors such as energy, healthcare, and finance across the U.S. and Europe. Throughout the Ukraine conflict, APT29 has carried out cyber assaults on the Ukrainian military, political entities, diplomatic units, think tanks, and non-profits. In a recent attack on governments under NATO countries, the threat actor Impersonated the German embassy and dropped two malicious PDF files that carried diplomatic invitation lures. One PDF delivered a Duke malware variant associated with Russian-backed APT29, while the other served for testing without a payload, signaling if opened. The lure themes, malware, and victimology align with APT29’s activities, attributing the campaign to Russia’s Foreign Intelligence Service. The attackers used Zulip, an open-source chat app, for command-and-control, disguising their actions in legitimate web traffic. The first PDF, themed “Farewell to Ambassador of Germany” and “Day of German Unity,” contained embedded JavaScript for multi-stage payload delivery. It triggered an alert upon execution, launching a malicious HTML Application (HTA). This HTA utilized DLL sideloading to deploy a Duke malware variant. The threat actor employed Windows API hashing to obfuscate function calls and XOR encryption to hide string values. Zulip was leveraged for communication with actor-controlled chat rooms, blending with legitimate web traffic. Another PDF, themed “Day of German Unity,” was likely for reconnaissance. Though payload-less, it notified the actor via a compromised domain upon being opened. In these campaigns’ tactics, APT29’s used legitimate web services like Microsoft OneDrive.
Insights:
NATO has experienced its second attack, following a previous incident in April, where the APT29 utilized spear phishing, posing as European embassy messages, to target diplomatic personnel. PDF attachments in emails linked to deceptive web pages through JavaScript, utilizing the HTML Smuggling technique. That enabled download of payloads like .ISO, .ZIP, .IMG files. The initial payload, termed SNOWYAMBER by researchers, was a lightweight custom malware dropper, that gathered system data and connected to a Notion-hosted command-and-control server.
Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
Chinese hackers target industrial systems in Eastern Europe
Researchers have recently reported on a campaign of a group known as APT31 (or “Judgment Panda” or “Zirconium”), which has been targeting industrial systems in Eastern Europe. According to the researchers, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. In total, at least 15 implants and their variations have been planted by the hackers in this campaign.
The group is generally regarded to be part of the Chinese government intelligence programme. While most of its activity has been part of the extensive Chinese industrial espionage campaign, the group has also been implicated in the collection of political intelligence, including targeting email accounts belonging to the campaign staff of the sitting US president, Joe Biden.
Ukrainian agency warns of Russian Starlink-hacking attempts.
Ukraine’s counter-intelligence agency SBU has claimed that the Russian military intelligence agency’s (GRU) hackers are attempting to deploy malware against the Starlink satellite communications system with a view to collecting data on Ukrainian troop movements. Ukrainian experts discovered malicious software on Ukrainian tablet devices that were captured by the Russians before later being recovered from the battlefield. According to the agency, there were different types of information-stealing software found on the tablets, with at least one of them bearing the hallmarks of the Sandworm hacker gang. The group has supposedly used custom malware. If successful, this attack was supposed to be able to yield extremely useful operational intelligence for Russian battlefield commanders.
China accuses US of hacking the Wuhan seismic laboratory
China’s Ministry of State Security has accused the United States of a cyberattack, in which the US was supposed to target the Wuhan Earthquake Monitoring Center. The Global Times, a news service operated directly by the Chinese Communist Party, has accused US intelligence agencies of stealing Chinese comprehensive earth system science remote-sensing and telemetry data, which, according to researchers, could be useful in serving as a source usable in deciphering data about potential nuclear testing. China’s announcement has also served to a degree as a pushback in the information sphere, countering US accusations of Chinese cyber espionage and the insertion of potentially disruptive malware in critical infrastructure.
New targets of Chinese cyber espionage uncovered
The earlier reported compromise of the Microsoft Cloud by Chinese hackers has recently been updated with newly published targets, including at least one member of the US Congress, Representative Don Bacon, who is a vocal supporter of Taiwan and who serves on the House Armed Services Committee. The Congressman’s email address has reportedly been compromised in the attack, according to a statement offered by the official.
The attack itself is deemed to be the work of a threat group known as Storm-0558, which was forging Azure Active Directory tokens, using an acquired Microsoft account (MSA) consumer signing key. Storm-0558 is running espionage operations that target persons with ties to Taiwan and Uyghur geopolitical interests as well as US and European diplomatic, economic, and legislative controlling entities.
Meaf Machines is Impacted by LockBit 3.0 Ransomware
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the Netherlands, (www[.]meaf[.]com), was compromised by LockBit 3.0 Ransomware. Meaf Machines designs develops and builds extrusion machines for the global packaging and plastics processing industry. The company is a ‘one-stop-shop’ for extruders and thermoforming machines for a wide range of polymers and applications. Currently, the compromised data has not yet been made available on the leak site, indicating the potential existence of ongoing discussions between the victim and the ransomware group. It is feasible that the compromised data encompasses information that is both sensitive and confidential.
The following screenshot was observed published on the dark web:
Source: Dark Web
Insights:
In 2023, the LockBit 3.0 ransomware emerged as a worldwide menace, penetrating various private and governmental entities across the globe. Significantly, the United States of America has suffered the most, as around 70% of the targeted organizations within the country have been affected.
Vulnerability in ESET Smart Security
Summary:
The vulnerability potentially allows an attacker to misuse ESET’s file operations during a module update to delete or move files without having proper permissions to do so.
Insights:
The vulnerability allows a user logged on to the system to perform a privilege escalation attack, misusing the ESET GUI to plant malicious files required for the attack into specific folders and later misusing file operations performed by ESET’s updater component to possibly delete or move any arbitrary file.
Impact:
ESET Smart Security could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the ekrn service.
Affected Products: https[:]//support[.]eset[.]com/en/ca8466-eset-customer-advisory-local-privilege-escalation-vulnerability-fixed-in-eset-security-products-for-windows
Hacktivists target the Japanese government, following the release of Fukushima wastewater
Summary:
Entities operating under the banner of Anonymous, known as EUTNAIOA, have claimed responsibility for cyber protests against the Japanese government. Their actions are in response to the government’s involvement in the release of wastewater from the Fukushima Daini Nuclear Power Plant. In an operation called “Tango Down,” Anonymous Italia Collective reportedly attacked 21 websites associated with the Fukushima facility. The targeted organizations include Japan’s Ministry of the Environment, the Atomic Power Company, the Nuclear Regulation Authority, and more. The attacks were confirmed through screenshots and monitoring tool links. These actions were prompted by the International Atomic Energy Agency’s decision to permit the release of treated Fukushima wastewater. The water contains radioactive elements due to the cooling process of the reactor, even though the plant’s management claims that advanced processing systems remove most radionuclides. EUTNAIOA questions the safety of this decision and accuses the government of manipulating social media using AI and offering bribes to downplay radiation levels, allegations both denied by the Japanese government and IAEA.
Insights:
As per the hacktivists, the Japanese government, and Tokyo Electric Power Company (TEPCO) arrived at the choice to discharge radioactive waters into the ocean “without sufficiently engaging local communities and conducting a proper international public discourse,” as claimed by the group. The group does acknowledge that the government and TEPCO relied on the guidance of global scientists when making their decision. Nevertheless, they have also contended that there isn’t a unanimous consensus within academia about the safety of the proposed plan.
Job Plus’s Data Advertised in Leak Site
Summary:
CYFIRMA Research team observed a potential data leak related to Job Plus, {www[.]jobplus[.]biz Job Plus is a company that operates in the Staffing and Recruiting industry. The company is headquartered in Saudi Arabia. The data that has been compromised includes User IDs, names, email addresses, passwords, system admin status, mobile numbers, company manager IDs, gender, birth dates, and other confidential information, all formatted in SQL.
Source: Underground forums
Insights:
Constantly seeking financial gains, opportunistic cybercriminals remain vigilant for accessible and weak systems and applications. Most of these attackers participate in clandestine discussions within underground forums, where they engage in the purchase and sale of stolen digital assets. In contrast to financially motivated groups like ransomware or extortion syndicates, who often publicize their attacks, these culprits prefer discreet operations. They exploit unpatched systems or vulnerabilities in applications to infiltrate and exfiltrate valuable data. Subsequently, this stolen data is promoted for sale on underground platforms, finding its way to new owners and being repurposed in subsequent attacks by other perpetrators.
CYFIRMA Research team observed a potential data leak related to Sprongo, {www[.]sprongo[.]com}. Sprongo is the premium video service among skiers. The data breach encompasses User ID, email, first name, last name, photo ID, cover photo ID, external link, sport, password, registration time, and additional sensitive information presented in SQL format.
Source: Underground forums
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION
