Self Assessment

Weekly Intelligence Report – 24 May 2024

Published On : 2024-05-24
Share :
Weekly Intelligence Report – 24 May 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Diamond Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Diamond Ransomware.
In late April 2024, researchers identified a new ransomware strain known as Diamond, also referred to as Duckcryptor.

Upon execution, the ransomware encrypts files on the system and appends the extension “.[[email protected]].duckcryptor” to their filenames.

Subsequently, the ransomware altered the desktop wallpaper and generated two ransom notes: “Duckryption_info.hta” and “Duckryption_README.txt”.

Screenshot of files encrypted by ransomware (Source: Surface Web)

Screenshot of Diamond ransomware’s ransom note (“Duckryption_info.hta”): (Source: Surface Web)

Screenshot of Diamond (Duckcryptor)’s desktop wallpaper: (Source: Surface Web)

Appearance of Diamond (Duckcryptor) ransomware’s text file “Duckryption_README.txt” (Source: Surface Web)

The ransom notes reveal that the ransomware targets both individuals and organizations, with the ransom amount adjusted based on the victim’s perceived ability to pay.

Additionally, the threat actors warn of repeated attacks on organizations if the ransom is not paid.

Following are the TTPs based on the MITRE Attack Framework

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002:Execution T1047: Windows Management Instrumentation
T1053: Scheduled Task/Job
T1059: Command and Scripting Interpreter
2 TA0003: Persistence T1053: Scheduled Task/Job
T1176: Browser Extensions
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
3 TA0004: Privilege Escalation T1053: Scheduled Task/Job
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1548: Abuse Elevation Control Mechanism
4 TA0005: Defense Evasion T1036: Masquerading
T1070.004: Indicator Removal: File Deletion
T1202: Indirect Command Execution
T1497: Virtualization/Sandbox Evasion
T1548: Abuse Elevation Control Mechanism
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.001: Hide Artifacts: Hidden Files and Directories
5 TA0006: Credential Access T1003: OS Credential Dumping
6 TA0007: Discovery T1010: Application Window Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
7 TA0009: Collection T1005: Data from Local System
T1114: Email Collection
T1185: Browser Session Hijacking
8 TA0011: Command and Control T1071: Application Layer Protocol
9 TA0040: Impact T1486: Data Encrypted for Impact

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware is seen terminating C:\Windows\System32\vssadmin.exe process. This prevents the creation and use of Volume Shadow Copies, thereby hindering the ability to restore system files from backups.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • Behavior Checks: The ransomware conducts behaviour checks on network adapters, which could indicate attempts to identify potential vulnerabilities or network configurations that could aid in its propagation or evasion of detection.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment suggests that the Diamond (Duckcryptor) ransomware is likely to evolve in order to target more sophisticated environments. This evolution may involve leveraging system management tools and registry manipulation for persistence. The increased utilization of WMI calls and network behavior checks indicates a trend toward employing more advanced and evasive techniques, which poses significant risks globally. The ransomware’s clear intention, as stated in its ransom note, is to generate substantial profits, thus it will particularly target developed regions such as the US, UK, East Asia, Southeast Asia, etc. Vigilance and robust cybersecurity measures are essential for effectively mitigating these threats.

Sigma Rule
title: Drops script at startup location threatname:
behaviorgroup: 1
classification: 7 logsource:
service: sysmon product: windows
detection: selection:
EventID: 11 TargetFilename:
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.vbs*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.js*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.jse*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.bat*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.url*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.cmd*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.hta*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.ps1*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.wsf*’ condition: selection
level: critical
(Source: Surface web)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Backdoor
Objective: Espionage, Data Exfiltration
Threat Actor: Turla (aka Snake)
Target Entities: Diplomats and Foreign Affairs Ministries
Target Geographies: Europe and Middle East
Target Technology: Web Servers & Mail Servers

Active Malware of the Week
This week “Lunar” is trending.

Lunar
Researchers discovered two previously unknown backdoors, named LunarWeb and LunarMail, compromising a European ministry of foreign affairs (MFA) and its diplomatic missions, including diplomatic institutions of this MFA in the Middle East. LunarWeb, which targets servers, uses HTTP(S) for command and control (C&C) communications and mimics legitimate requests. LunarMail, targeting workstations, persists as an Outlook add- in and uses email for its C&C communications. Both backdoors utilize steganography to hide commands in images, evading detection. The Lunar toolset has likely been in use since at least 2020. Due to similarities in tactics, techniques, and procedures (TTPs) with past activities, researchers attribute these compromises to the Russia-aligned cyberespionage group Turla with medium confidence.

Technical Analysis
The analysis began with detecting a lunar loader decrypting and executing a payload from an external file on an unidentified server, leading to the discovery of a new backdoor named LunarWeb. Further analysis revealed LunarWeb deployed at a diplomatic institution of a European MFA. During another attack, simultaneous deployments of LunarWeb were observed at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. The attacker likely had prior access to the MFA’s domain controller and used it for lateral movement to related institutions within the same network.

Additionally, researchers identified a second backdoor, LunarMail, which uses a different method for command and control (C&C) communications. Following are the two observed Lunar backdoor compromise chains:

Stage 1 – Lunar Loader
The execution chain begins with a loader named LunarLoader, which uses the RC4 cipher to decrypt the path to the Stage 2 blob and read an encrypted payload. To ensure only one instance is active, it creates a mailslot with a unique name instead of using common synchronization objects. It derives a decryption key from the MD5 hash of the computer’s DNS domain name, which it verifies before decrypting the payload with AES-256, resulting in a PE file. LunarLoader allocates memory for the PE image, decrypts the name of an exported function, and runs this function in a new thread containing a reflective loader.

Using the DNS domain name for payload decryption acts as an execution guardrail, ensuring the loader only executes in the targeted organization, potentially hindering analysis if the domain name is unknown. LunarLoader can be standalone or part of trojanized open-source software. One observed case involved a trojanized AdmPwd, part of the Windows Local Administrator Password Solution (LAPS).

Stage 2 blob – Payload Container
The Stage 2 blob comprises four entries, including two unused strings, one being the base64-encoded version of freedom or death or freedom or death (yeah,we are alive), and 32-bit and 64-bit versions of the payload. While the purpose of the “freedom or death” string isn’t explicitly explained, it’s common for malware authors to include such strings for various reasons, such as tracking versions, distracting analysts, or as a signature.

Additionally, instead of a 32-bit payload, researchers found strings like “shit happens.” Two different backdoors were observed as payloads (LunarWeb and LunarMail), utilizing DLL names in the export directory with “e” suffixes indicating 64-bit versions.

  • mswt[e].dll – web transport (LunarWeb)
  • msmt[e].dll – mail transport (LunarMail) LunarWeb

LunarWeb, the initial payload discovered, functions as a backdoor, communicating with its C&C server via HTTP(S) and executing received commands. Deployed exclusively on servers, it initializes by locating or creating its state file and decrypting strings related to communication using RC4 with a static key. It collects victim identification data to calculate a victim ID used in communications. After safety checks, including assessing its lifespan and C&C server accessibility, it enters a communication loop with a delay of a few hours, skipped on the first run. If safety conditions fail, LunarWeb self-removes, deleting its files but leaving potentially detectable traces of the Stage 1 loader’s persistence method.

Initial Server Compromise
The initial server compromise involving LunarWeb remains partially unclear, but an installation-related component was found on one compromised server: a compiled ASP.NET web page named system_web.aspx. This filename is a known indicator of compromise (IoC) associated with Hafnium, a China-aligned APT group, but researchers believe this might be a coincidence or a false flag. When requested, the system_web.aspx page appears as a benign Zabbix agent log but secretly expects a password in a cookie named SMSKey. This password, combined with a specific salt, derives an AES-256 key and IV to decrypt two embedded blobs, dropped as temporary files in a directory excluded from scanning.

While the exact password remains unknown, the file sizes match the Stage 1 loader and the Stage 2 blob containing the LunarWeb backdoor. The attacker, or an unknown component, renames and moves these temporary files to their final destinations and establishes persistence. The attacker had prior network access, used stolen credentials for lateral movement, and meticulously compromised the server without raising suspicion.

They copied two log files over the network, disguised as Zabbix agent logs, moved them to the IIS web directory as the system_web page, and sent a HEAD request with a password, resulting in the creation of two .tmp files. These files, containing Stages 1 and 2, were then moved to specific locations. Finally, to maintain access and execute their code, the attacker set up a Group Policy extension in the registry using the Remote Registry service.

LunarWeb Configuration and Operation Configuration and State LunarWeb’s configuration, likely manually changed in the source code, is hardcoded into the binary, varying between samples. This includes C&C servers, unreachability threshold, communication format, and backdoor lifespan. It maintains a 512-byte state structure, stored in a file, with three slots accessed by index. While the first two slots are unused, the third is utilized. State slots are encrypted using RC4 with a key.

Information Collection
LunarWeb gathers host computer information and sends it to the C&C server upon initial contact:

  • Unique victim identification obtained via WMI queries:
  • Operating system version with serial number,
  • BIOS version with serial number, and
  • Domain name.
  • Further system information obtained via shell commands:
  • Computer and operating system information (output of systeminfo.exe),
  • Environment variables,
  • Network adapters,
  • List of running processes,
  • List of services, and
  • List of installed security products.

Communication
After initialization, LunarWeb communicates with its C&C server via HTTP(S), employing a custom binary protocol with encrypted content. It utilizes three URLs, each serving different purposes: one for initial contact, uploading host computer information, and two for receiving commands, each on a different server, referred to as command URLs. To conceal its C&C communications, LunarWeb mimics legitimate traffic by spoofing HTTP headers with genuine domains and commonly used attributes. It can also receive commands disguised within images, such as impersonating Windows services (Teredo, Windows Update). Victim identification is included in HTTP requests, either through randomly generated cookies or URL query parameters containing a victim ID. LunarWeb can also use an HTTP proxy server for C&C communications if necessary.

Receiving Commands
LunarWeb retrieves commands from the C&C server via a GET request to the command URL, with the request and response formats varying across five supported formats determined by a hardcoded value. Depending on the format, received data may require decoding with base64 or extraction from an image. Communication formats 0 and 1 decrypt data using RSA-4096, while formats 2, 3, and 4 utilize a more complex process involving AES-256 decryption and zlib decompression. After decryption and decompression, the data forms a command package with a unique ID, compared to the last processed ID stored in the backdoor’s state. If different, the package is processed, and the last ID is updated.

Cryptographic operations are performed using a statically linked Mbed TLS library, utilizing two embedded RSA-4096 keys for encryption and decryption, as outlined in their GitHub repository.

Exfiltrating Data
Data undergoes zlib compression and AES-256 encryption, with a session key and IV derived from the data’s size, along with a hash-based message authentication code (HMAC). AES encryption involves generating a random 32-byte AES seed, encrypted using RSA-4096, then derived into a session key using SHA-256 hashing. Encrypted data, along with decryption and integrity metadata, is sent via POST requests to the C&C server, delayed by a sleep of 34 to 40 seconds. Command packages include an output URL for sending results, which could be the same or a different server. If output data exceeds 1.33 MB after compression, it is split into multiple parts of random size (384–512 KB).

Commands
LunarWeb possesses standard backdoor functionalities, enabling file and process operations and executing shell commands, including PowerShell and Lua code. It supports a variety of capabilities, including running reconnaissance commands to gather system and network information, user details, installed programs, and security settings. Notably, it can retrieve Zabbix configurations using a specific file path. Additionally, some commands may produce error messages referencing them as “tasks,” indicating incorrect formatting.

LunarMail
The second backdoor, LunarMail, is similar to LunarWeb but communicates through email with its C&C server. Unlike LunarWeb, LunarMail is intended for deployment on user workstations and persists as an Outlook add-in. It draws inspiration from LightNeuron, a Turla backdoor with a similar email-based communication method, although no code similarities were found between them. Other Turla backdoors with similar operations include the Outlook backdoor.

Malicious Document Delivery
In another compromise, an older malicious Word document was discovered, likely from a spear phishing email. Despite being a DOC file, it’s actually in DOCX format, which is a ZIP archive that can hold extra content. This document contains 32- and 64-bit versions of a Stage 1 loader and a Stage 2 blob containing the LunarMail backdoor. The installation is facilitated by a VBA macro executed on document opening. The macro calculates a victim ID from the computer name and informs its C&C server by pinging a specific URL with the ID. It then creates a directory and extracts the necessary files from the ZIP/DOCX content. Persistence is established via Outlook add-in registry settings, mimicking Gpg4win’s Outlook add-in, GpgOL. Once deployed, the Stage 1 loader appears in Outlook Add-Ins.

Initialization
During initialization, the backdoor decrypts encrypted strings, including a regex expression used as a filter to search for the email profile for C&C purposes. These strings are encrypted using RC4 with a static key. To interact with Outlook, the backdoor dynamically resolves the required Outlook Messaging API (MAPI) functions. Additionally, the backdoor creates a directory in the %TEMP% path on each run, serving as a staging directory for data exfiltration.

Configuration and State
Similar to LunarWeb, LunarMail’s configuration entries are hardcoded in the binary, encompassing conditions to locate an Outlook profile for C&C communications, default exfiltration settings, and the backdoor’s lifespan limit. Unlike LunarWeb, LunarMail maintains a single-state file that persists in %LOCALAPPDATA%\Microsoft\Outlook\outlk.share. This 668-byte structure is updated during execution, storing details such as the timestamp of the last command executed and the current staging directory. Subsequent runs replace the previous staging directory with a new one.

Information Collection
During its initial operation, the LunarMail backdoor gathers environmental variables and recipients’ email addresses from sent email messages. It also decrypts a batch file containing system information commands, though this file is not executed. In specific error scenarios, it collects the email addresses associated with available Outlook profiles.

Communication and Commands
The LunarMail backdoor operates within Outlook, utilizing the Outlook Messaging API (MAPI) to communicate with its command and control (C&C) server. It receives commands and exfiltrates data through email messages, demonstrating its stealthy operation within the email environment.

Profile Search
LunarMail initiates communication by searching for compatible Outlook profiles from Microsoft Exchange. These profiles must adhere to specific criteria, including having four default folders and containing the domain of the targeted institution in the email address. Profiles that match these conditions are further filtered based on a regex pattern to exclude legitimate institutional emails. Once a suitable profile is found, initial information is sent.

Subsequent communication involves searching the inboxes of potential profiles for emails containing commands. This dynamic approach eliminates the need for hardcoded profiles and complicates identification. Furthermore, commands can specify a particular profile to use, a setting that is retained in the backdoor’s state.

Receiving Commands
LunarMail identifies a profile containing commands by scrutinizing email messages and attempting to analyze their attachments. These attachments must adhere to strict criteria: being a single PNG image with a .png extension and a size of ≤10 MB. The backdoor then inspects the IDAT chunks of the PNG file, seeking specific components such as an AES seed, an exfiltration configuration, and command chunks. All these elements are zlib- compressed and encrypted, with RSA-4096 used for the former and AES for the latter two. It’s intriguing that these chunks must maintain the PNG format, complete with validated CRCs, resulting in a visually noisy yet technically valid image due to the encrypted and compressed content.

LunarMail employs the same cryptographic methods as LunarWeb, including the Mbed TLS library and two RSA-4096 keys. The structure of the decompressed exfiltration configuration mirrors LunarWeb’s command package metadata, detailing the destination for command outputs and employing an ID to prevent duplicate commands stored in state.

Following decryption and decompression, LunarMail commands exhibit an identical structure to LunarWeb’s. Each parsed command is executed, with outputs stored in the staging directory for subsequent exfiltration. Significantly, emails that fail parsing for commands have their IDs cached to prevent redundant parsing. However, this cache isn’t retained between backdoor executions and is rebuilt each time. Successfully parsed emails are promptly deleted post-processing.

Commands
LunarMail offers a more streamlined set of command capabilities compared to LunarWeb. It can create files, initiate new processes, and, uniquely, capture screenshots and adjust the C&C communication email address. Unlike LunarWeb, it doesn’t feature distinct commands for executing shell or PowerShell commands, but it does support Lua scripts.

Upon execution, commands deposit their outputs into files within the staging directory.

Exfiltrating Data Preparation

LunarMail prepares data for exfiltration by embedding it into PNG images or PDF documents, determined by the attachment extension specified in the exfiltration configuration. PNG and PDF files are constructed using predefined content templates. For PNG files, LunarMail utilizes a template featuring the institution’s logo, suggesting prior familiarity with the compromised system. To create a PNG containing output files, LunarMail initiates by generating a random 32-byte AES seed for encryption.

Subsequently, it generates IDAT chunks containing data and integrates them into the PNG template. These chunks consist of:

  • Chunk with AES seed – RSA-4096 encrypted and zlib compressed.
  • Chunk(s) with filename and content – AES-256 encrypted and zlib compressed.

Before compression and encryption, the output file name and content are structured alongside a magic string (001035) within the PNG chunks, ensuring adherence to PNG specifications. To complete the image, the IEND footer chunk is appended. Alternatively, LunarMail produces PDF files using an encrypted template, the content of which remains undisclosed. Output files with metadata are inserted into the PDF template, facilitating parsing and decryption. Once embedded, files staged for exfiltration are deleted, remaining temporarily in the staging directory until transmission.

Exfiltrating Data – Transmission
Prepared PNGs or PDFs, containing output files, are dispatched as email attachments to a controlled inbox, adhering to predefined configurations. Default settings dictate recipient, subject, message body, and attachment filename. Although the email content mirrors the language of the compromised institution, it appears translated due to unnatural phrasing.

Customized exfiltration configurations can override the default settings. HTML format may be employed for the email body, with PNGs embedded as images. Messages are flagged for deletion post-transmission, ensuring a discrete exfiltration process.

INSIGHTS

  • The potential connection to the Turla cyberespionage group adds a layer of complexity and sophistication to the Lunar backdoor incidents. Turla, known for its extensive history and strategic targeting of governmental and diplomatic organizations across Europe, Central Asia, and the Middle East, brings a high level of threat to the table. This affiliation suggests a deeper level of state-sponsored cyber activity, highlighting the evolving landscape of cyber threats.
  • The emergence of the Lunar backdoors highlights a concerning trend in cyber threats, with their potential connection to the Turla cyberespionage group amplifying the severity. These sophisticated malware variants, LunarWeb and LunarMail, showcase a shift in tactics. Moreover, the targets of these backdoors, including the European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad, along with diplomatic institutions in the Middle East, signify a strategic focus on intelligence gathering by threat actors.
  • The key differentiation between LunarWeb and LunarMail is that they differ in their methods of command and control (C&C) communication. LunarWeb employs a conventional HTTP(S) approach, disguising its traffic to resemble legitimate services like Windows Update, while LunarMail utilizes Outlook email messages for C&C communication, using PNG images or PDF documents to exfiltrate data. These distinct methods showcase the toolset’s adaptability and evasion tactics against detection mechanisms.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the emergence of sophisticated backdoors like LunarWeb and LunarMail signals a concerning trajectory in cyber threats, with cybercriminals constantly innovating to breach organizational defenses. As these threats become increasingly intricate, organizations face heightened risks to their digital security. The use of steganography to conceal commands within images underscores the evolving sophistication of malware techniques, posing challenges for traditional detection methods. Looking ahead, it’s evident that cybercriminals will continue refining their tactics and adapting to the evolving cybersecurity landscape. While Lunar is currently targeting specific regions like Europe and the Middle East, historical patterns indicate that threat actors like Turla have historically targeted a broader geographic scope, including Europe, Central Asia, and the Middle East. This suggests the potential for Lunar to expand its target geography in the future, posing a broader threat landscape for organizations.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Implement real-time website monitoring to analyze network traffic going in and out of the website to detect malicious behaviours.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Secure your organization’s internet-facing assets with robust security protocols and encryption, including authentication or access credentials configuration, to ensure that critical information stored in databases/servers is always safe.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Consider the following multi-layered protection program:
  • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.
  • Anti-phishing engines to prevent any type of phishing attack before it reaches users.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – RansomHouse Ransomware, RansomHub Ransomware | Malware –Lunar
  • RansomHouse Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Lunar
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Emerging Threat: Void Manticore’s Destructive Cyber Campaigns Targeting Israeli Organizations

  • Threat Actors: Void Manticore
  • Attack Type: Public-facing web server
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Israel
  • Target Industries: Government & Critical Infrastructure
  • Business Impact: Data Loss, Data exfiltration

Summary:
Void Manticore (aka Storm-842) is an Iranian state-sponsored threat actor known for conducting destructive attacks on Israeli organizations and leaking information through the online persona ‘Karma’ (sometimes written as KarMa). These operations often target sectors such as government, finance, and critical infrastructure, aligning with Iran’s broader offensive strategy. The group employs straightforward and efficient techniques aimed at causing rapid and significant damage. Their operations extend beyond Israel, with attacks also reported in Albania, where they use the persona ‘Homeland Justice’ to leak stolen data. In Israel, Void Manticore is notable for utilizing a custom wiper named BiBi, after Israeli Prime Minister Benjamin Netanyahu.

One common method Void Manticore uses to gain access to target systems is through internet-facing web servers like CVE-2019-0604, where they deploy web shells like the custom “Karma Shell.” This tool, disguised as an error page, can list directories, create processes, upload files, and manage services, using simple encryption methods like base64 and one-byte XOR for obfuscation. They have also been observed uploading a custom executable, do.exe, which checks for Domain Admin credentials. Upon successful authentication, it installs another web shell, reGeorge, indicating valid credentials. This suggests the initial access might be facilitated by another entity, possibly Scarred Manticore, a more sophisticated threat actor.

After gaining access, Void Manticore uses Remote Desktop Protocol (RDP) for lateral movement and SysInternal’s AD Explorer to gather information about the target network. On compromised hosts, they establish command and control (C2) channels using an OpenSSH client. These steps enable them to control the network environment and prepare for deploying destructive payloads. The group employs custom wipers to achieve their destructive goals. These wipers either selectively corrupt specific files within the system or destroy the system’s partition table, making all data on the disk inaccessible.

One notable tool in their arsenal is the CI Wiper, This wiper employs a legitimate driver, ElRawDisk, to interact directly with the disk, allowing it to wipe files, disks, and partitions. The use of ElRawDisk has been seen in other wipers associated with Iranian actors, indicating a shared methodology. Void Manticore’s activities extend beyond Israel, with attacks in Albania where they use the persona ‘Homeland Justice’ to leak stolen data. This dual approach combines psychological warfare with data destruction, amplifying the impact on targeted organizations. Their attacks often carry politically charged messages, as demonstrated by the custom BiBi wiper.

The collaboration between Void Manticore and Scarred Manticore highlights a sophisticated level of coordination, allowing Void Manticore to benefit from advanced capabilities and access to high-value targets. The observed handoff procedures between the two groups underscore a strategic alignment, enhancing Void Manticore’s effectiveness and reach.

Relevancy & Insights:
Void Manticore (also known as Storm-842) is an Iranian threat actor notable for its destructive campaigns and information leaks using the online persona ‘Karma’. Their operations show significant overlap with Scarred Manticore (Storm-861), indicating collaboration between the two groups. Instances where victims are transferred from Scarred Manticore to Void Manticore suggest a cooperative relationship spanning multiple operations in Israel and Albania. Void Manticore, believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has conducted BiBi Wiper attacks in both Israel and Albania. The BiBi Wiper malware, initially used to cause data destruction, now includes a new version that deletes the disk partition table, making data restoration more difficult and extending downtime for the victims. This threat actor targets Israeli organizations as part of a broader Iranian intelligence strategy, aiming to disrupt critical sectors and cause significant operational setbacks.

ETLM Assessment:
Void Manticore, an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS), targets Israeli organizations and extends its reach to Albania. This group collaborates with Scarred Manticore, utilizing initial access and infrastructure provided by them. They aim for cyberespionage through destructive wiping attacks and influence operations, primarily focusing on government, finance, and critical infrastructure sectors. Void Manticore employs custom wipers for both Windows and Linux, including the BiBi Wiper, which now deletes disk partition tables to complicate data restoration and prolong downtime. Their tactics also involve manual deletion of files, ransomware, and leveraging Scarred Manticore’s prior compromises to enhance their disruptive operations. The involvement of this threat actor, along with others, raises serious concerns and may increase in the future due to conflicts and rising tensions in the Middle East. Additionally, a wide range of hack and leak personas have emerged, specifically targeting Israel, further complicating the threat landscape.

Recommendations:

  • Provide regular training to employees on recognizing and responding to phishing attacks, social engineering, and other common tactics used by threat actors.
  • Enforce strict access controls, ensuring users have the minimum level of access necessary for their roles. Implement multi-factor authentication (MFA) to add an extra layer of security for accessing sensitive systems and data.
  • Deploy advanced threat detection solutions that leverage behavioural analysis and machine learning to identify unusual patterns indicative of Void Manticore’s tactics.
  • Implement robust firewall rules and intrusion detection/prevention systems (IDS/IPS) to monitor and block suspicious activities, particularly on internet-facing web servers.
  • Maintain an effective patch management program to ensure all systems and software are updated with the latest security patches, reducing the risk of exploitation by custom wipers and other malware.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

China intensifies its information war on the West
Over the past 24 months, the Chinese information operations have switched from pushing predominately pro-China content to more aggressively target US politics. It’s a part of a wider multibillion-dollar influence campaign by the Chinese government, which has used millions of accounts on dozens of internet platforms ranging from X and YouTube to more fringe ones, where Chinese operators have been trying to push pro-China content. It’s also been among the first to adopt cutting-edge techniques such as AI-generated profile pictures and video avatars. Over the past five years, the researchers who have been tracking the campaign have watched as it attempted to change tactics, using video, automated voiceovers, and most recently the adoption of AI to create profile images and content designed to inflame existing divisions.

ETLM Assessment:
There’s little doubt at this point that TikTok is censoring Americans’ videos on topics sensitive to Beijing, as well as providing lots of personal data on Americans (and Canadians, and everyone else) to the Chinese government. Canada’s intelligence agency recently warned citizens not to use TikTok due to privacy concerns. Meanwhile, TikTok is far from China’s only vector of information warfare. The country has flooded American social media with bots and human-operated accounts attempting to spread disinformation and divisive messaging.

Chinese hackers targeting the shipping industry
Researchers have published a report on activity observed in the last 6 months in which the Chinese hacking group Mustang Panda was deploying malware against the shipping industry in Europe. Researchers detected Korplug loaders utilized by Mustang Panda on computer systems belonging to cargo shipping companies based in Norway, Greece, and the Netherlands, including some that appeared to be aboard the cargo ships themselves.

ETLM Assessment:
While it is not clear why exactly is China targeting the shipping industry, it might be mapping the field and trying to insert cyber capabilities into critical infrastructure which it could activate in a crisis. In a conflict scenario (typically over Taiwan), China could use their pre-positioned cyber capabilities to wreak havoc in civilian infrastructure and deter coordinated Western military action.

Rise in Malware/Ransomware and Phishing

The RansomHouse Ransomware impacts the Gantan Beauty Industry

  • Attack Type: Ransomware
  • Target Industry: Construction
  • Target Geography: Japan
  • Ransomware: RansomHouse Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; (www[.]gantan[.]co[.]jp), was compromised by the RansomHouse Ransomware. Gantan Beauty Industry Co., Ltd. specializes in metal roofing solutions for both commercial and residential buildings. The company offers various products, including metal roofs, integrated gutters, and other roofing accessories. The compromised data includes sensitive and confidential information related to the organization. The total volume of compromised data is approximately 400 GB.

The following screenshot was observed published on the dark web

Source: Dark Web

Relevancy & Insights:

  • RansomHouse emerged in March of 2022 and is categorized as a multi-pronged extortion threat. The attackers exfiltrate all enticing data and threaten to post it all publicly.
  • RansomHouse, a ransomware-as-a-service (RaaS) group, has recently been in the spotlight for using a new tool called “MrAgent” to automate attacks on VMware ESXi servers. The MrAgent tool is designed to streamline the deployment of ransomware across large environments by automating tasks such as disabling firewalls, ending non-root SSH sessions, and spreading the ransomware to multiple hypervisors simultaneously. This tool supports both Windows and Linux systems, indicating RansomHouse’s strategy to maximize its reach and impact.
  • RansomHouse operations tend to be ‘smaller’ or more ‘controlled’ than some bigger players. They openly solicit new ‘team members’ on known underground marketplaces, as well as collaborating on the Telegram service. The group has opted for the more efficient route of exfiltration only. This means the group steals victim data, skipping the encryption step. This can make the attacks stealthier and potentially lead to a much longer dwell time since no encryption means fewer alarms are triggered. Victims, as well as journalists and reporters, are directed to RansomHouse’s ‘PR Telegram Channel’ for any questions or support around the group’s campaigns.
  • The RansomHouse Ransomware group primarily targets countries such as the United States of America, Italy, Malaysia, the United Kingdom, and Spain.
  • The RansomHouse Ransomware group primarily targets industries, such as Pharmaceuticals, Computer Services, Health Care Providers, Business Support Services, and Aerospace.
  • Based on the RansomHouse Ransomware victims list from 1 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by RansomHouse Ransomware from 1 Jan 2023 to 22 May 2024 are as follows:

ETLM Assessment:
RansomHouse ransomware is known to target large enterprises and high-value targets. RansomHouse ransomware targets its victims through phishing and spear phishing emails. They are also known to use third-party frameworks (e.g., Vatet Loader, Metasploit, Cobalt Strike). Based on the available information, CYFIRMA’s assessment indicates that RansomHouse ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent breach targeting the Gantan Beauty Industry, a leading Construction firm based in Japan, serves as a potential indicator of RansomHouse ransomware’s inclination towards targeting organizations across the Asia Pacific.

The RansomHub Ransomware impacts the Chuo System Service Co., Ltd

  • Attack Type: Ransomware
  • Target Industry: Business Support Services
  • Target Geography:Japan
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; (www[.]Chuoss[.]co[.]jp), was compromised by the RansomHub Ransomware. Chuo System Service Co., Ltd. (CSS) is a Japanese IT company specializing in the planning, design, development, and maintenance of business systems. They also provide medical package software solutions and offer services across various industries, including retail, banking, and gas utilities. The company is known for its custom IT solutions, such as warehouse management and ATM software. CSS emphasizes creating a fair and professional work environment to achieve high customer satisfaction. The compromised data contains sensitive and confidential information related to the organization. The total volume of compromised data is approximately 20 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • In February 2024, RansomHub posted its first victim, the Brazilian company YKP.
  • RansomHub comprises hackers from various global locations united by a common goal of financial gains. The gang explicitly mentions prohibiting attacks on specific countries and non-profit organizations. The gang’s website states that they refrain from targeting CIS, Cuba, North Korea, and China. While they suggest a global hacker community, their operations notably resemble a traditional Russian ransomware setup.
  • In February 2024, a UnitedHealth Group subsidiary faced IT system shutdowns due to a cyberattack by an ALPHV affiliate on Change Healthcare, a platform it uses. ALPHV operators dismantled their infrastructure post-attack, failing to pay the affiliate. Change Healthcare allegedly paid a $22 million ransom, only to be hit again by a new group, RansomHub, claiming to possess 4 terabytes of sensitive data. It’s suspected that the affiliate collaborated with RansomHub after ALPHV didn’t pay up, using previously stolen data for leverage. Change Healthcare’s removal from RansomHub’s DLS suggests possible negotiation with the threat actors as of April 20, 2024.
  • RansomHub Ransomware group primarily targets countries such as the United States of America, Brazil, the United Kingdom, Slovakia, and Malaysia.
  • RansomHub Ransomware group primarily targets industries, such as Computer Services, Heavy Construction, Renewable Energy Equipment, Restaurants & Bars, and Software.
  • Based on the RansomHub Ransomware victims list from 1 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by RansomHub Ransomware from 1st Jan 2023 to 22 May 2024 are as follows:

ETLM Assessment:
The RansomHub group seems to be a recently emerged ransomware group, likely with roots in Russia. Due to the benefits it offers its affiliates and the strict controls it enforces, they could be vying for the leadership position amidst pressure from security forces to major players like LockBit and ALPHV. However, their ransomware strains appear to be just a revised version of an old sample for now. An interesting part is that this strain is also written in the Golang language. Based on CYFIRMA’s assessment, RansomHub Ransomware targets organizations worldwide. The attack on Chuo System Service Co., Ltd also highlights ransomware groups’ interest in organizations from the Asia Pacific, financially strong in the region with exploitable vulnerabilities.

Vulnerabilities and Exploits

Vulnerability in Mozilla Focus for iOS

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Web Browser
  • Vulnerability: CVE-2024-5022 (CVSS Base Score 4.3)
  • Vulnerability Type: User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Summary:
The vulnerability allows a remote attacker to perform a spoofing attack.

Relevancy & Insights:
The vulnerability exists due to incorrect processing of URLs with file scheme.

Impact:
A remote attacker can trick the victim into visiting a specially crafted webpage and spoof addresses in the location bar.

Affected Products: https[:]//www[.]mozilla[.]org/en-US/security/advisories/mfsa2024-24/

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerabilities in Firefox Focus can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Firefox Focus is crucial for maintaining the privacy and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding online activities across different geographic regions and sectors.

Latest Cyber-Attacks, Incidents, and Breaches

LockBit3.0 Ransomware attacked and Published data of Thai Agri Foods Public Company Limited

  • Threat Actors: LockBit3.0 Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Thailand
  • Target Industry: Agriculture and Agribusiness
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that LockBit3.0 Ransomware attacked and Published data of Thai Agri Foods Public Company Limited on its darkweb website. Thai Agri Foods Public Company Limited(www[.]thaiagri[.]com), headquartered in Thailand, is a prominent food processing company. The company specializes in the production of frozen and canned food products, using fresh ingredients such as seafood, fruits, and vegetables. They offer a wide range of products under several brands including Aroy- D, Savoy, Foco, Panchy, Little Chef, Uni Eagle, and Fuco. These products include coconut milk, sauces, curry pastes, canned fruits, juices, and ready-to-eat meals. TAF has customers in over 70 countries. The data leak, following the ransomware attack, encompasses a broad spectrum of sensitive and confidential information pertinent to the organization.

Source: Dark Web

Relevancy & Insights:

  • Leaked LockBit 3.0 builder has resurfaced. Recent observations reveal that the LockBit 3.0 builder, leaked in 2022, has significantly streamlined the creation of customized ransomware. Files encrypted with payloads generated using this leaked builder cannot be decrypted using existing tools that rely on a known-victim ID list obtained by authorities, during a recent law enforcement takedown. This is primarily because the independent groups behind these attacks did not share their private keys with the Ransomware-as-a-Service (RaaS) operator. Custom LockBit builds created with the leaked builder have been involved in several incidents worldwide.
  • In February 2024 LockBit was disrupted by Operation Cronos, a campaign enacted by various law enforcement agencies from around the world, including the Federal Bureau of Investigation (FBI), the National Crime Agency (NCA), and Europol. Together, these agencies took control of LockBit’s websites and servers, compromised its entire criminal enterprise, and arrested and charged various individuals. But LockBit ransomware returned to attack with new encryptors, and servers right after the disruption.

ETLM Assessment:

  • Based on the available information, CYFIRMA’s assessment indicates that LockBit 3.0 ransomware will continue to target various industries globally, with significant emphasis on the United States, Europe, and Asia. The recent breach targeting Thai Agri Foods Public Company Limited, a leading agriculture and agribusiness firm in Thailand, serves as a potential indicator of LockBit 3.0 ransomware’s increased focus on organizations across Southeast Asia.

    Data Leaks

    Centurion University Data Advertised on a Leak Site

    • Attack Type: Data Leak
    • Target Industry: Education
    • Target Geography: India
    • Objective: Data Theft, Financial Gains
    • Business Impact: Data Loss, Reputational Damage

    Summary:
    The CYFIRMA Research team observed a potential data leak related to Centurion University, {www[.]cutm[.]ac[.]in} in the Telegram Channel. The hacktivist group known as “Hacktivist Indonesia” has publicly disclosed the complete database of Centurion University. The leaked data, made available on May 19, 2024, includes highly sensitive information about numerous applicants, students, and staff associated with the university. The breach, targeting the website of Centurion University (www[.]cutm[.]ac[.]in), has exposed a wide range of personal details. The compromised data encompasses IDs, names, campus affiliations, course details, gender, email addresses, mobile numbers, dates of birth, categories, nationalities, religions, Aadhar numbers, and detailed family information. Additionally, educational backgrounds, including scores and institutions from secondary to postgraduate education, and payment details are part of the exposed dataset.

    Source: Telegram

    Relevancy & Insights:
    Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

    ETLM Assessment:

    According to CYFIRMA’s assessment, Hacktivist Indonesia is a cyber-attack group that has recently made headlines for targeting Indian government websites. The group has claimed it intends to attack 12,000 websites associated with various Indian governmental bodies. These attacks are primarily carried out using Distributed Denial- of-Service (DDoS) methods, which overwhelm servers with excessive traffic, causing disruptions in accessing online services. The targeted institutions lacked robust security postures and were susceptible to potential cyberattacks orchestrated by this threat actor.

    Recommendations: Enhance the cybersecurity posture by

    • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
    • Ensure proper database configuration to mitigate the risk of database-related attacks.
    • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

    Other Observations

    CYFIRMA Research team observed a potential data leak related to Sakaem Logistics (www[.]sakaemlogistics[.]com). Sakaem Logistics is a reputable auto transport company offering a range of vehicle shipping services across the United States and internationally. CyberNiggers threat actor group claims to have breached the CI/CD server of Sakaem Logistics, resulting in the leak of a substantial amount of the company’s source code.

    Source: Underground forums

    ETLM Assessment:
    CyberNiggers threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries indicating its intention to expand its attack surface in the future to other industries globally.

    STRATEGIC RECOMMENDATIONS

    • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
    • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
    • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
    • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
    • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

    MANAGEMENT RECOMMENDATIONS

    • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
    • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
    • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
    • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
    • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

    TACTICAL RECOMMENDATIONS

    • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
    • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
    • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
    • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
    • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

    Situational Awareness – Cyber News

    Please find the Geography – Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

    Geography-Wise Graph

    Industry-Wise Graph

    For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.