CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware.
Target Technologies: MS Windows.
Targeted Geography: Austria, Netherlands.
Targeted Industries: Hotel, Retailers.
CYFIRMA Research and Advisory Team has found a new INC ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Relevancy: This ransomware targets the Windows Operating system commonly used by many organizations of various industries. The recent victim is: A retail Industry in the Netherlands.
Researchers have identified a new ransomware strain called INC, targeting large commercial entities. The ransomware will encrypt the file and append it with the “.INC” extension.
After the encryption process was concluded, INC ransomware created a ransom note titled “INC-README.txt”.
“Server 1,” “Server 2,” and “Server 3” are references to different computer systems or servers that were involved in the sequence of events. They are distinct server instances that were accessed and interacted with by the threat actor during various stages of the attack.
The research uncovered initial signs of the ransomware threat actor’s activity, marked by brief 2-3 second connections to Server 1. These connections, originating from the same IP address, utilized three distinct source system names (ylqlCXO9VdRiZ5JK, aJLXC9TzxgInkqf4, and UxUZNZXxMeBN2jox). All accessed the target system using the same account name.
About four and a half hours later, compromised credentials were utilized for Remote Desktop Protocol (RDP) access to the same system. This 30-minute connection involved minimal enumeration activities, including commands like ‘net group domain admins /domain’ and ‘nltest.exe’.
Subsequently, a brief RDP login to Server 2 was noted, employing previously observed credentials. During this session, several 7-Zip commands were used for data collection in a consistent format: 7.exe a -mx3 -xr!*.exe -xr!*.mp4 -xr!*.wmv -xr!*.mov -xr!*.avi -xr!*.MXF -xr!*.MTS -xr!*.vhd <archive name> <source folder>.
Native tools (Wordpad.exe, Notepad.exe, MSPaint) were used by the threat actor to view documents and images. Moreover, MEGASync installation on Server 2 likely aided data exfiltration.
The threat actor revisited Server 2 via RDP, repeating collection and data staging commands. Later, they accessed Server 3 via RDP, followed by installing Advanced IP Scanner. Shortly after, lateral movement to Server 2 occurred via RDP.
During the Server 3 logon, the threat actor employed Internet Explorer (iexplore.exe) to browse other systems’ folders and mstsc.exe to attempt lateral movement. PuTTY was installed, and around three hours later, lsassy.py-based credential access commands were executed on all servers. Roughly four hours following the Server 3 logon, the threat actor executed copy and wmic.exe commands consecutively, distributing the file encryption executable to various endpoints. Additionally, PSExec was used to launch the executable, renamed “winupd,” resulting in System Event Log records.
While the research revealed difficulties in running the encryption executable on Server 3, with no signs of encrypted files or ransom notes, the threat actor attempted troubleshooting using <redacted>.exe –debug commands.
Files Encrypted by INC Ransomware(Source: Surface web)
INC Ransomware Note (source: surface web)
Countries Targeted by INC Ransomware
Following are the TTPs based on MITRE Attack Framework.
Sr. No | Tactics | Techniques/Sub-Techniques |
1 | TA0001: Initial Access | T1078.002: Valid Accounts: Domain Accounts |
2 | TA0002: Execution | T1059.001: Command and Scripting Interpreter: PowerShell |
T1059.003: Command and Scripting Interpreter: Windows Command Shell | ||
T1047: Windows Management Instrumentation | ||
3 | TA0003: Persistence | T1078.002: Valid Accounts: Domain Accounts |
4 | TA0004: Privilege Escalation | T1078.002: Valid Accounts: Domain Accounts |
5 | TA0006: Credential Access | T1003.001: OS Credential Dumping: LSASS Memory |
6 | TA0007: Discovery | T1482: Domain Trust Discovery |
7 | TA0008: Lateral Movement | T1021.001: Remote Services: Remote Desktop Protocol |
T1021.002: Remote Services: SMB/Windows Admin Shares | ||
8 | TA0009: Collection | T1560.001: Archive Collected Data: Archive via Utility |
9 | TA0010: Exfiltration | T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage |
10 | TA0040: Impact | T1486: Data Encrypted for Impact |
Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.
Type: Remote Access Trojan (RAT)
Objective: Information Stealing
Target Technology: Windows OS
Active Malware of the Week
This week “QwixxRAT” is trending.
In August 2023, researchers found a malware called QwixxRAT (also known as Telegram RAT). It is being distributed by a threat actor through platforms like Telegram and Discord. This malware is designed to secretly gather sensitive information from Windows computers where it’s installed. The collected data is then sent to the attacker’s Telegram bot, giving them unauthorized access to the victim’s private information. This threat affects both businesses and individual users, as the malware discreetly infects devices and extracts a broad range of data.
The QwixxRAT file is a C#-compiled binary, functioning as a 32-bit executable file designed for CPU operations. QwixxRAT is designed to collect lots of different types of information, like web history, credit card details, and even what keys are pressed. This RAT can do more than just steal data; it has powerful tools that let the attackers control the computers it infects. They can give commands and even make the computers stop working.
QwixxRAT has 19 functions that each do different things. It also has a special configuration function that decides how it acts on the computer it’s on. This configuration function contains various values, which can be in the form of booleans, file extensions, or other types of data. Based on these values, the RAT adapts its actions accordingly.
Function 1: HideConsoleWindow – As this is a CPU program, the threat actor conceals the console to remain covert.
Function 2: CheckMutex – The threat actor uses a mutex value check to stop the program from running twice. They generate an MD5 value for the string and check if the current user has special powers (admin privileges). If the user is an admin, the threat actor creates a new mutex using the string to make sure only one copy of the program runs on the computer.
Function 3: SecurityProtocol – This code snippet sets the “ServicePointManager.SecurityProtocol” property to enable support for multiple secure network protocols. The application ensures backward compatibility and broader compatibility with various servers and clients by including SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. This configuration allows the application to securely communicate with servers requiring different SSL/TLS versions to establish secure connections.
Function 4: Elevate Privileges – The code tries to make the program run with admin rights by restarting itself (Hidden Attribute) with the “runas” verb. If the user says no or if the settings prevent it, the code keeps trying to get admin rights using a loop.
Function 5: Sleep – To evade AV/EDR/Sandbox detection, the threat actor incorporates the sleep function to introduce a delay in the execution process.
Function 6: runAntiAnalysis – The threat actor employed three methods for anti-analysis purposes: Sandboxie, VirtualBox, and Debugger.
Function 7: installSelf – The threat actor looks for a file at “C:\Users\Chrome\rat.exe”. If it’s not found there, the code copies itself to that location and hides the file.
Function 8: setAutorun – A scheduled task is created for the hidden file located at “C:\Users\Chrome\rat.exe”.
Function 9: MeltFile – The code has a self-destruction feature made for a C# program. When certain conditions are met, it makes a temporary batch script that waits for itself to close. After it closes, it erases the program’s file and starts again from a specific spot called InstallPath (“C:\Users\Chrome\rat.exe”). This type of self-destruction is commonly seen in malware to hide or in security tools to delete sensitive parts once they’re done. The batch script checks if there’s a parent process with a certain ID (1207) and waits until it’s there. When the parent process is found, the script removes the “stealer.exe” file (which is the parent), switches to the “C:\Users\Chrome” folder, and then runs the “rat.exe” program (which is a copy of the parent).
Function 10: isConnectedToInternet – The code checks if there’s an internet connection by pinging “google.com” and “api.telegram.org”. It keeps trying until both sites respond, and it prints messages status messages to the console during the process.
Function 11: processCheckerThread – The code monitors the processes running on the system and checks for specific ones like “taskmgr,” “processhacker,” “netstat,” “netmon,” “tcpview,” “wireshark,” “filemon,” “regmon,” and “cain.” If any of these are found, it stops the network activity and waits until the process is gone. When the process is gone, the network activity starts again, and the code sends a message to a Telegram bot to tell it that the blocked process was detected.
Function 12: keyloggerThread – The code has a function that captures keyboard events and saves them to a file. It changes special keys into understandable forms and organizes the keystrokes based on the window’s title. Keyboard hooks are used for things like keylogging and handling hotkeys. It’s important to know that while keyboard hooks can be used for good things like accessibility, they can also be misused for bad things like secret keylogging without the user knowing.
Function 13: AutoStealerThread – The code is made to secretly collect private information from a specific computer. It takes screenshots, gets login details, credit card info, web history, FTP credentials, messenger data, and data from the Steam platform. Then, it sends all this taken data to the attacker using a hidden Telegram channel.
Function 14: Clipper – The threat actor may exploit clipboard manager APIs to illicitly access sensitive information copied to the device’s clipboard. The code aims to extract cryptocurrency wallet information from the following organizations: Monero, Ethereum, and Bitcoin.
Function 15: protectProcess – By adjusting “SeDebugPrivilege” to level 2, your program gains a special privilege known as “Debug Privilege.” This privilege is typically needed for specific tasks like debugging or system administration.
Function 16: PreventSleep – It’s worth mentioning that the value 2147483651U used in this context represents a combination of flags (ES_CONTINUOUS, ES_SYSTEM_REQUIRED, and ES_AWAYMODE_REQUIRED) to set the system’s execution state. These flags ensure that the system remains continuously active, preventing sleep or idle mode, even if the user is away, such as during presentations or video playback.
Function 17: sendConnection – The purpose of this code is to send a text message to a specific chat on Telegram using a Telegram bot.
Function 18: waitCommandsThread – The code sets up a loop to keep an eye on messages and commands from the Telegram bot. It reacts quickly based on these messages, like downloading files, running commands, or telling the bot owner about unknown messages. This way, the code makes sure the bot stays active and deals with new messages quickly.
Function 19: MainForm – The code makes the main form of the app borderless and hidden from the taskbar. Also, the app is given high priority when the system is shutting down, so it can finish important tasks before the system turns off.
Kindly refer to the IOCs Section to exercise controls on your security systems.
rule QwixxRAT
{
meta:
malware_name = “QwixxRAT”
description = “QwixxRAT is a trojan designed to extract browser cookies, histories, credit card information and capture keylogger activities from targeted devices”
version = “1”
strings:
$string_0 = “[CAPSLOCK: ON]” ascii wide
$string_1 = “[ESC]” ascii wide
$string_2 = “webcam.png” ascii wide
$string_3 = “SELECT * FROM win32_operatingsystem” ascii wide
$string_4 = “\\User Data\\Default\\Login Data” ascii wide
$string_5 = “recentservers.xml” ascii wide
$string_6 = “credit_cards.txt” ascii wide
$string_7 = “Tasklist /fi” ascii wide
$string_8 = “Select * from AntivirusProduct” ascii wide
$string_9 = “\\keylogs.txt” ascii wide
$string_10 = “AutoStealer” ascii wide
condition:
all of them
}
(Source: Surface Web)
Key Intelligence Signals:
A New APT Carderbee Exploits Legitimate Software for Malware Distribution
Summary:
In a recent observation, a newly identified advanced persistent threat (APT) group named Carderbee has executed a sophisticated supply chain attack, using the legitimate Cobra DocGuard software to infiltrate victim computers and deploy the Korplug backdoor (also known as PlugX). The attackers leveraged a legitimate Microsoft certificate to sign their malware, evading detection and enhancing their credibility. Predominantly targeting victims in Hong Kong, with some across Asia, the campaign’s primary aim was to distribute the Korplug backdoor. The campaign’s origins remain uncertain, and while Korplug is associated with various APT groups, this activity couldn’t be definitively linked to any known threat actor. Cobra DocGuard, a product by China-based EsafeNet, was exploited in this operation, hinting at a carefully orchestrated supply chain attack. The attackers demonstrated precision by infecting around 100 computers, out of approximately 2,000 with the Cobra DocGuard software, signifying targeted payload delivery. The attack’s multi-stage process involved a downloader with a valid Microsoft certificate, used to introduce the Korplug backdoor. The attackers skilfully manipulated the legitimate update process of Cobra DocGuard to execute their malicious actions, deploying x64 and x86 drivers to manipulate and compromise victim systems.
Insights:
The APT group demonstrated a clear understanding of how to exploit the trust associated with legitimate software, as they manipulated the update process of the Cobra DocGuard software to deliver their malicious payload. This tactic not only bypassed traditional security measures but also exploited a vector that many users and organizations consider safe. On top of it, the threat actor choosing 100 specific targets out of 2000, hints about good strategic planning that could further help in evading detection.
Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
North Korean hackers target South Korea–US military exercises
South Korea’s Police have announced that the North Korean threat actor known as Kimsuky has targeted South Korean contractors, working for a joint military exercise between the US and South Korea. The agency found that an IP address used in the attack was also used in an alleged Kimsuky hack against a South Korean nuclear reactor operator in 2014.
The threat actor has reportedly used spearphishing attacks in an attempt to steal information, however, the police agency stated that no classified or military-related information was stolen. North Korea has initiated the attacks in response to South Korean and U.S. forces’ 11-day Ulchi Freedom Guardian summer exercises, which are targeting the improvement of their joint ability to respond to North Korea’s evolving nuclear and missile threats.
US Intelligence Agencies Warn of Cyber Threats to Space Systems
The US Federal Bureau of Investigation (FBI), the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) have issued a bulletin outlining cyberespionage threats targeting the space industry. As per the report, foreign spies and hackers are targeting the commercial space industry as they recognize the importance of the US economy and national security, including the growing dependence of critical infrastructure on space-based assets. These are not only seen as a potentially vulnerable point of the world’s biggest economy, but also as valuable opportunities to acquire vital technologies, free-of-charge technological innovation, and expertise. Cyberattacks are then typically targeting key supply chain nodes in a bid to gain access to classified assets.
The warning bears heavily on the threat to intellectual property, which was a topic of a recent CYFIRMA report on Chinese state IP theft programs, but it also warns against direct threats to space systems themselves. China and Russia represent serious adversaries in this field, and US Intelligence agencies posit that any future war will open with a cyberattack against satellite systems. Russia’s invasion of Ukraine has confirmed the template with Russian military intelligence hacking key satellite communications, utilized by the Ukrainian army on the first day of its attack on the country.
Former Head of Russian Cyberspace Information Operations Presumed Dead
Russia’s most powerful mercenary Yevgeny Prigozhin was on board a plane that crashed on the evening of 23rd August, north of Moscow with no survivors, according to Russian authorities. The crash, which was filmed live by onlookers, has been according to yet unconfirmed reports caused by Russian anti-aircraft missiles.
Prigozhin’s death would leave the Wagner Group, which incurred President Vladimir Putin’s wrath in June by staging an abortive armed mutiny against the army’s top brass, leaderless, and raise questions about its future operations in cyberspace and elsewhere. Whatever the cause of the crash, his death would also rid President Putin of a person responsible for the most serious challenge to the Russian leader’s authority since he came to power in 1999. To read more on Yevgeny Prigozhin and his activities including his sponsoring of the infamous Russian troll factory, which tried to influence American elections.
Bolton Group is Impacted by Play Ransomware
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from Italy, (www[.]boltongroup[.]net), was compromised by Play Ransomware. Bolton Group is a multinational that has been producing and distributing for over 70 years a vast range of innovative and sustainable branded products. Currently, the data that was compromised has not been disclosed on the leaked website. This implies that potential negotiations might be taking place between the targeted party and the ransomware group. The data that has been compromised includes sensitive and personal confidential information, as well as documents related to clients and employees, such as passports, IDs, financial records, and tax documents.
The following screenshot was observed published on the dark web:
Source: Dark Web
Insights:
Vulnerability in Ivanti Sentry
Summary:
The vulnerability allows a remote attacker to bypass authentication process.
Insights:
The vulnerability exists due to missing authentication on certain APIs.
Impact:
A remote attacker can send a specially crafted HTTP request to port 8443/TCP, bypass authentication process, and execute arbitrary code on the system. Affected Products: https[:]//www[.]ivanti[.]com/blog/cve-2023-38035-vulnerability-affecting-ivanti-sentry
NoName hackers target nine institutions within Norway’s critical infrastructure
Summary:
The latest incident involves the NoName hackers’ group, which has once again directed its attention towards Norway. This time, they have asserted responsibility for an assault on nine essential infrastructural systems within the nation. This recent event contributes to the ongoing sequence of cyber incursions targeting Norway. The attack on Norway’s infrastructure was initiated through a Distributed Denial of Service (DDoS) attack, as disclosed by the threat actors. The NoName ransomware group has imprinted its digital signature by vandalizing numerous websites, as evidenced by their online statements and compromised links. The entities affected encompass both governmental entities and private enterprises, underscoring the expansive aspirations of the attackers. Prominent organizations have been identified as targets in the purported cyber assault on Norway. These comprise Bompengeselskap Nord AS (BPS Nord), a toll firm in Norway owned by Nordland and Troms og Finnmark counties; Ferde AS, a toll company in Norway owned by Agder, Rogaland, and Vestland counties; Ruter AS, the public transportation authority serving Oslo and Akershus counties; Boreal Norge AS, a Norwegian public transport operator with activities spanning multiple counties; the highest legislative body in Norway, Stortinget (Norwegian Parliament); and the governing body of Oslo, the capital city, Oslo Municipality.
Source: Twitter
Insights:
Although unquestionably concerning, the cyber-attack on Norway is not an unprecedented occurrence for the country. In June 2022, Norway encountered a distributed denial-of-service (DDoS) attack that caused disruptions across multiple entities. Subsequently, in July 2023, diverse ministries within the Norwegian government fell victim to a cyber-attack. The Norway Security Authority documented this attack, attributing it to a “criminal Pro-Russia” collective. Thankfully, no sensitive information was compromised during this cyber assault on Norway.
Carsworld’s Data Advertised in Leak Site
Summary:
CYFIRMA Research team observed a potential data leak related to Carsworld, {www[.]carsworld[.]id}. Carworld stands as an automotive dealership founded on three core principles: Speed, Innovation, and Trust. The data that has been breached includes details like merchant ID, category ID, name, email, phone number, WhatsApp information, and various other confidential data in SQL format.
Source: Underground forums
Insights:
Constantly seeking financial gains, opportunistic cybercriminals remain vigilant for accessible and weak systems and applications. Most of these attackers participate in clandestine discussions within underground forums, where they engage in the purchase and sale of stolen digital assets. In contrast to financially motivated groups like ransomware or extortion syndicates, who often publicize their attacks, these culprits prefer discreet operations. They exploit unpatched systems or vulnerabilities in applications to infiltrate and exfiltrate valuable data. Subsequently, this stolen data is promoted for sale on underground platforms, finding its way to new owners and being repurposed in subsequent attacks by other perpetrators.
CYFIRMA Research team observed a potential data leak related to Vesicash Financial Technology, {www[.]vesicash[.]com}. Vesicash Financial Technology is a company that operates in the Financial Services industry. The company is headquartered in Nigeria. The data that has been compromised includes user identifiers, account IDs, account types, first names, last names, email addresses, phone numbers, usernames, passwords, and additional sensitive information, all presented in SQL format.
Source: Underground forums
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION