Self Assessment

Weekly Intelligence Report – 27 Dec 2024

Published On : 2024-12-27
Share :
Weekly Intelligence Report – 27 Dec 2024

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Locklocklock Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Locklocklock Ransomware
Researchers recently identified the “Locklocklock ransomware”, which encrypts files on infected systems and appends the extension “.locklocklock” to the filenames. Following encryption, it generates a ransom note titled “Readme-locklocklock.txt.”

Screenshot of files encrypted by ransomware (Source: Surface Web)

The Locklocklock ransomware ransom note informs victims that their data has been both encrypted and stolen. It demands a ransom payment to restore access to the files, threatening to publish the stolen data on Onion websites if the payment is not made. The note also offers a “security report” claiming to help prevent future attacks.

Victims are warned against shutting down servers while the note is displayed, as this could result in permanent file damage. Additionally, the note provides contact details, including an email address, for communication with the attackers.

Screenshot of Locklocklock’s text file (“Readme-locklocklock.txt”)(Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework

Tactic ID Technique/Sub-Technique
Execution T1053 Scheduled Task/Job
Execution T1059 Command and Scripting Interpreter
Execution T1106 Native API
Persistence T1053 Scheduled Task/Job
Persistence T1542.003 Pre-OS Boot: Bootkit
Persistence T1543.003 Create or Modify System Process: Windows Service
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
PrivilegeEscalation T1053 Scheduled Task/Job
PrivilegeEscalation T1055 Process Injection
PrivilegeEscalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
PrivilegeEscalation T1574.002 Hijack Execution Flow: DLL Side-Loading
PrivilegeEscalation T1548 Abuse Elevation Control Mechanism
Defense Evasion T1014 Rootkit
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1036 Masquerading
Defense Evasion T1055 Process Injection
Defense Evasion T1070.004 Indicator Removal: File Deletion
Defense Evasion T1112 Modify Registry
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1202 Indirect Command Execution
Defense Evasion T1222 File and Directory Permissions Modification
Defense Evasion T1497 Virtualization/Sandbox Evasion
Defense Evasion T1542.003 Pre-OS Boot: Bootkit
Defense Evasion T1548 Abuse Elevation Control Mechanism
DefenseEvasion T1562.001 Impair Defenses: Disable or Modify Tools
Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
Defense Evasion T1564.003 Hide Artifacts: Hidden Window
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
CredentialAccess T1003 OS Credential Dumping
CredentialAccess T1552.001 Unsecured Credentials: Credentials In Files
Discovery T1010 Application Window Discovery
Discovery T1012 Query Registry
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1087 Account Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Discovery T1518.001 Software Discovery: Security Software Discovery
Collection T1005 Data from Local System
Collection T1114 Email Collection
Collection T1115 Clipboard Data
Collection T1185 Browser Session Hijacking
Collection T1560 Archive Collected Data
Commandand
Control
T1071 Application Layer Protocol
Impact T1486 Data Encrypted for Impact
Impact T1490 Inhibit System Recovery
Impact T1496 Resource Hijacking

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.

ETLM Assessment:
CYFIRMA’s assessment suggests that Locklocklock ransomware is likely to intensify its global operations, with a particular emphasis on high-value sectors such as manufacturing, finance, and healthcare. These industries are appealing due to their reliance on critical data and infrastructure, coupled with the severe impact of operational disruptions. By leveraging advanced evasion techniques, persistent registry modifications, and recovery inhibition strategies, the ransomware is expected to exploit systemic vulnerabilities, maximizing its potential for financial and operational leverage.

Sigma Rule
title: Drops script at startup location threatname:
behaviorgroup: 1
classification: 7
logsource:
service: sysmon product: windows
detection: selection:
EventID: 11 TargetFilename:
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.vbs*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.js*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.jse*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.bat*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.url*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.cmd*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.hta*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.ps1*’
– ‘*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\*.wsf*’
condition: selection
level: critical

(Source: Surface web)

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Remote Access Trojan (RAT) | Objectives: Espionage, Data theft| Threat Actor: TA397 | Target Technology: Windows OS | Target Organization: Defense sector | Target Geography: Turkey

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the Week

This week “WmRAT and MiyaRAT” is trending.

Summary
Researchers observed that the advanced persistent threat (APT) group TA397 targeted a Turkish defense organization using a lure related to public infrastructure projects in Madagascar. The attack employed a RAR archive containing an LNK file, which created a scheduled task on the victim’s system to retrieve additional payloads. In the final phase of the attack, TA397 manually delivered the WmRAT and MiyaRAT malware families, both designed for intelligence gathering and exfiltration. Researchers assess that these campaigns are likely focused on supporting the interests of a South Asian government.

TA397
TA397 is a prominent South Asian espionage-focused APT group known for targeting sectors such as government, energy, telecommunications, defense, and engineering across the EMEA and APAC regions. The group primarily uses scheduled tasks to communicate with staging domains and deploy malicious backdoors, allowing them to access sensitive information and intellectual property. Observed activity consistently falls within UTC+5:30 working hours, suggesting a defined operational window. WmRAT and MiyaRAT are two distinct malware families identified as actively used by TA397, with MiyaRAT being a more recent addition. MiyaRAT appears to be reserved for higher-value targets, as it has been deployed less frequently across campaigns. It is believed that both malware families were likely developed by the same developers.

Attack Method
The TA397 campaign begins with attacks using spearphishing emails sent from a compromised government organization’s email account. These emails contained a RAR archive with various files, including an LNK file, a “~tmp.pdf” file, and two NTFS alternate data streams (ADS) named “Participation” and “Zone.Identifier.”

Fig: Infection chain of TA397

When the RAR file is opened, the target only sees the LNK file because the ADS are hidden by default in Windows’ built-in RAR extraction tool or WinRAR. Additionally, the PDF file has specific attributes (HSA) enabled, which misleads the user into thinking they’re opening a legitimate PDF file, as indicated by the “.pdf.lnk” extension. Since Windows hides the true file extensions by default, this trick is more convincing. However, if the RAR file is opened using 7-Zip, the user can view and extract the hidden NTFS ADS streams.

ADS are a feature of the NTFS file system in Windows, allowing additional data to be attached to files, with formats like RAR v5 supporting the inclusion of ADS streams. In this attack, the Zone.Identifier ADS stream, introduced in earlier Windows versions for security, records the origin of a file to assess its trustworthiness. It is automatically assigned to files downloaded via browsers and, when extracted from downloaded archives using Windows Explorer, the files inherit a Zone.Identifier stream pointing to the original archive’s source. While not critical to the attack’s success, this stream is useful for forensic analysis. In this case, the Zone.Identifier ADS reveals that the “~tmp.pdf” file is a legitimate document from the World Bank about a Madagascar infrastructure project.

Fig: Legitimate PDF used as a decoy document in the campaign.

The second ADS, called “Participation,” contained a base64-encoded PowerShell script, which was triggered when the LNK file ran, executing the script within the “~tmp.pdf” file. This opened the World Bank PDF lure while creating a scheduled task named “DsSvcCleanup” that attempted to send the target’s host information to the jacknwoods[.]com domain every 17 minutes. If a payload was retrieved, it was executed via a command prompt. Approximately 12 hours later, TA397 operators manually deployed the WmRAT and MiyaRAT payloads, starting with “anvrsa.msi,” which installed WmRAT as “anvrsa.exe.” When WmRAT failed to communicate, additional commands were issued to enumerate the system and exfiltrate data. Then, the “gfxview.msi” payload was executed to install MiyaRAT as “xrgtg.exe.”

WmRAT
WmRAT is a remote access trojan (RAT) written in C++ that utilizes sockets for communication and offers typical RAT features. It can collect basic host information, upload and download files, capture screenshots, obtain geolocation data, enumerate directories and files, and execute commands through cmd or PowerShell. The malware also generates numerous fake threads, likely to confuse researchers or responders analyzing the samples. Upon execution, it begins by copying timezone information using the GetDynamicTimeZoneInformation function and employs the standard method of using the Sleep function at various stages, including a dedicated function designed to trigger extended sleep periods.

The malware creates a thread that gathers basic host information such as username, hostname, and logical drives but does nothing with this data. This process is repeated 1,000 times, likely to overwhelm behavior logs or create noise in the environment. After this, another identical thread is created, continuing the same behavior. The malware then attempts to communicate with its command and control (C2) server, though initially failing due to an uninitialized socket. Later, it successfully initializes the socket and decrypts the C2 server address, academymusica[.]com. Once the C2 server is contacted, the malware checks connectivity by sending a request to microsoft[.]com before establishing a connection on port 47408. The malware receives a 4-byte value from the C2 server, swaps the endianness, and uses this value to determine which command to execute. Some notable supported commands include:

  • Read and exfil file
  • Create host summary
  • Exit infection
  • Receive data from the C2, and write to file stream
  • Receive and decrypt filepath from C2,
  • Take screenshot and exfil
  • Get geolocation information
  • Get file listing from given directory and gather file create/modification time
  • Get disk size for files and directories
  • Mini command handler
  • Exec string in cmd or powershell, or restart self
  • Exit

MiyaRAT
MiyaRAT, also written in C++, shares similar functionality with WmRAT. It begins by decrypting its hardcoded C2 server, using a method where it subtracts each character from the string “doobiedoodooziezzz” to decode the C2 domain, resulting in samsnewlooker[.]com. The malware also has a hardcoded port value, 56189, specifying the port it connects to. Uniquely, MiyaRAT implements its own version of the Mersenne Twister random number generator to determine sleep durations. After decoding the C2, MiyaRAT creates a global socket, which is initialized to communicate with the server.

Afterward, the malware gathers basic system information and sends it to the C2 along with the malware version, which is 3. This data is then encrypted using XOR with the byte value 0x43. The C2 can respond to commands that MiyaRAT supports:

  • GDIR – get directory tree
  • DELz – remove directory/file
  • GFS – enumerate all files from a specific directory
  • SH1start_cmd – reverse shell using CMD
  • SH1start_ps – reverse shell using PowerShell
  • SH1 – interact with reverse shell
  • SFS – connect to new socket to upload and download files via UPL/DWNL
  • GSS – take screenshot and exfil
  • SH1exit_client – close infection
  • SH2 – interact with reverse shell

TA397 Infrastructure and Domain Usage
TA397’s campaign infrastructure is split between implant and staging domains. The jacknwoods[.]com domain served as the staging domain for distributing WmRAT and MiyaRAT, while academymusica[.]com and samsnewlooker[.]com acted as C2 domains for each implant. The staging domain jacknwoods[.]com resolved to 185.244.151[.]84, registered with a Let’s Encrypt certificate and GoDaddy as the provider, reflecting patterns observed in previous TA397 campaigns. Notably, the IP is multi-tenanted and not controlled by TA397. The WmRAT C2, academymusica[.]com, resolved to 38.180.142[.]228, and the MiyaRAT C2, samsnewlooker[.]com, resolved to 96.9.215[.]155, likely belonging to the attackers.

INSIGHTS

  • The TA397 campaign showcases a well-coordinated cyber espionage operation, where the attackers utilized spearphishing emails to target a Turkish defense organization. By embedding a decoy World Bank document about Madagascar’s infrastructure, they lured the victim into executing a malicious RAR archive. This archive led to the deployment of two types of malwares, WmRAT and MiyaRAT, which were used to gather sensitive intelligence and exfiltrate data. The campaign’s focus on targeting a defense organization suggests a clear motive aligned with espionage activities.
  • Both WmRAT and MiyaRAT are highly focused on surveillance and information collection. WmRAT, which establishes a remote access to infected systems, allows the attackers to gather and exfiltrate host information, take screenshots, and execute commands. MiyaRAT, on the other hand, offers similar functionalities but with some unique characteristics, including its ability to reverse-shell infected machines. These tools provide the attackers with a persistent and covert presence on compromised networks, allowing them to gather critical intelligence over extended periods.
  • The infrastructure supporting the TA397 campaign reflects the group’s methodical approach to evading detection. The use of multiple domains for staging and command-and-control (C2) ensures the attackers can manage the infection at different stages without raising red flags. The combination of legitimate-seeming documents and sophisticated malware demonstrates the group’s expertise in blending in with regular communication channels while carrying out highly targeted cyber espionage.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that malware like WmRAT and MiyaRAT is expected to evolve significantly, with future versions becoming even more sophisticated and harder to detect. As these remote access tools become more advanced, threat actors such as TA397 will likely enhance their cyber espionage tactics, targeting sectors like defense, telecommunications, and energy. With geopolitical tensions increasing, state-sponsored groups are anticipated to launch more targeted and persistent attacks, leveraging malware-laced documents and spearphishing campaigns to compromise organizations. These attacks will seamlessly blend into routine operations, making them difficult to identify and mitigate. As malware continues to advance, employees could inadvertently become the weakest link, with their actions potentially facilitating access to sensitive data and systems. Over time, this could lead to more extensive data breaches, allowing threat actors to exfiltrate intellectual property, government secrets, and proprietary trade information, posing significant risks to both organizational security and national interests.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

Recommendations:
STRATEGIC:

  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT:

  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Exert caution when opening email attachments or clicking on embedded links supplied via email communications.
  • Consider the following multi-layered protection program:
  • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.
  • Anti-phishing engines to prevent any type of phishing attack before it reaches users.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Phishing, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Killsec Ransomware, RansomHub Ransomware| Malware – WmRAT and MiyaRAT
  • Killsec Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups.
    Please refer to the trending malware advisory for details on the following:
  • Malware – WmRAT and MiyaRAT
    Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Lazarus Group Enhances Its Infection Chain with a Combination of New and Existing

Malware

  • Threat actor: Lazarus Group
  • Initial Attack Vector: Phishing, Malicious email/attachment
  • Objective: Espionage
  • Business Impact: financial losses, and theft of sensitive information.

SUMMARY
The Lazarus group has evolved its attack methods, leveraging complex infection chains to target individuals in sensitive sectors such as aerospace, defense, and cryptocurrency, that involves delivering malicious software through fake job opportunities. This attack utilized archive files containing trojanized utilities like VNC software, which were delivered to multiple employees.

The infection process began with a trojanized version of TightVNC, disguised as a legitimate tool, used to prompt the victim to connect to a server. The malicious VNC software decrypted and extracted further malware, including a downloader, which was loaded into memory to facilitate additional attacks. One key malware component, Ranid Downloader, enabled the deployment of more malicious tools, such as MISTPEN and RollMid. MISTPEN was used to fetch additional payloads, some of which included a new Local Privilege Escalation (LPE) client variant.

Throughout the infection, the group employed a variety of techniques, including DLL side-loading and the use of legitimate software, to maintain persistence and evade detection. Another malware, CookieTime, was observed to facilitate lateral movement and the downloading of additional payloads on compromised systems. CookiePlus, a newer downloader, could retrieve DLLs or shellcodes and acted as a modular malware tool, enabling the continuous download of new malicious components from command-and-control servers.

The attack infrastructure mainly consisted of compromised web servers running PHP- based services. The persistent and evolving nature of the malware, especially the introduction of CookiePlus, highlights the group’s ongoing efforts to improve its attack techniques and evade security measures. The modular structure of the malware makes it difficult for defenders to track the full scope of an infection, as new plugins and payloads may be added over time.

Relevancy & Insights:
The Lazarus group’s past attacks, particularly those in the “DeathNote” campaign (also known as “Operation DreamJob”), provide key context for understanding their evolving tactics and techniques. Historically, this group has targeted sensitive sectors such as defense, aerospace, and cryptocurrency through social engineering tactics like fake job offers. These attacks often involved distributing malicious documents or trojanized tools, like remote access utilities (VNC or PuTTY), designed to convince targets to connect to controlled servers for “skills assessments.”

The current attack mirrors these past campaigns, maintaining the focus on social engineering through fake job-related archives. However, there is a significant shift in the methods used. In previous incidents, Lazarus relied heavily on infected documents or PDFs as the primary initial infection vector. This time, they employed compressed ISO files instead of ZIP archives to avoid detection by security systems. Inside these files, Lazarus continued to use trojanized VNC software but combined it with new tools like Ranid Downloader, MISTPEN, and CookieTime to enhance their persistence and payload delivery.

In terms of malware delivery, the group has evolved from using simpler trojans to deploying more sophisticated modular malware frameworks. In the past, Lazarus used tools like Mata and Gopuram Loader for persistent access. The current campaign introduces CookiePlus, a more advanced downloader, which is modular and capable of downloading both DLLs and shellcode, reflecting the group’s shift towards more flexible, persistent infection mechanisms.

The malware flow in the current incident is also more complex, with tools like CookieTime used to facilitate lateral movement across networks, and sophisticated payloads like RollMid and LPEClient delivered after initial access. This complexity demonstrates the group’s increasing sophistication and adaptability in evading detection and maintaining a foothold in targeted organizations, continuing the trend of adapting their methods for greater stealth and persistence seen in past attacks.

ETLM Assessment:
The Lazarus group, a state-sponsored threat actor from North Korea, is known for conducting sophisticated cyberattacks, including espionage, financial theft, and disruption of critical infrastructure. They target global industries, with a focus on defense, aerospace, cryptocurrency, and energy sectors. Their attack methods often involve social engineering, spear-phishing, and exploiting software vulnerabilities to gain access to sensitive systems.

Lazarus has evolved its malware toolkit over time. In recent campaigns, they have used a combination of new and old malware, including Ranid Downloader, MISTPEN, RollMid, CookieTime, and CookiePlus. These tools allow them to maintain persistence, deliver additional payloads, and evade detection. Earlier, they relied on trojanized remote access tools like VNC and PuTTY for infiltration. The group’s attacks target software vulnerabilities and social engineering exploits, such as fake job offers. The infrastructure of the Lazarus group used compromised web servers running WordPress as C2s for most of this campaign. Samples such as MISTPEN, LPEClient, CookiePlus, and RollMid used such servers as their C2. For CookieTime, however, only one of the C2 servers we identified ran a website based on WordPress. Additionally, all the C2 servers seen in this campaign run PHP-based web services not bound to a specific country.

Looking ahead, Lazarus is expected to continue adapting its tactics, focusing on improving malware modularity and stealth. With an ongoing interest in cryptocurrency theft and espionage, they will likely intensify their attacks on financial institutions and critical sectors, making advanced threat detection and proactive security measures essential for organizations in high-value industries.

Recommendations:

Strategic Recommendations:

  • Strengthen Vulnerability Management: Given Lazarus’ use of known and zero-day vulnerabilities to exploit targeted systems, we advise prioritizing vulnerability management programs. Regular patching cycles, rapid application of security updates, and automated vulnerability scanning should be implemented to address critical vulnerabilities, especially for remote access tools and widely used applications that are commonly targeted.
  • Improve Network Segmentation: To reduce the lateral movement of malware within the organization, we recommend implementing more granular network segmentation. By isolating critical systems and sensitive data, you can prevent attackers from spreading across your network, limiting the damage and slowing down further compromises.

Tactical Recommendations:

  • Enhance Email and Web Filtering: Since Lazarus frequently uses spear-phishing and malicious attachments (e.g., trojanized ISO files or VNC software), we recommend implementing advanced email and web filtering technologies that can detect malicious payloads and stop them before they reach end users. This includes deploying sandboxing solutions for email attachments and URLs to analyze suspicious content in a controlled environment.
  • Increase Endpoint Detection and Response (EDR) Capabilities: Enhance your EDR capabilities to detect and respond to early signs of malware execution, especially for tools like Ranid Downloader, MISTPEN, and CookiePlus. Ensure that EDR systems are configured to identify suspicious file activities, such as unusual process behavior, the presence of trojanized applications, and attempts to execute payloads or load DLLs. Deploying anti-tamper protections will also help defend against attempts to disable security measures.
  • Behavioral Analytics and Anomaly Detection: Leverage user and entity behavioral analytics (UEBA) to monitor for unusual access patterns, particularly in systems with high-value targets like defense or aerospace sectors. Establish baseline behavior and configure anomaly detection systems to flag abnormal activities such as unusual login times, increased privilege escalations, and suspicious lateral movement within the network.

Operational Recommendations:

  • Run Comprehensive Security Awareness Training: Since Lazarus often employs social engineering tactics (like fake job offers or recruitment schemes), we recommend conducting frequent and comprehensive security awareness training. This should include educating staff on recognizing phishing attempts, handling suspicious emails, and verifying job opportunities or recruitment contacts via trusted channels.
  • Improve Incident Response and Forensics: Strengthen your incident response (IR) procedures with predefined playbooks tailored to Lazarus-specific tactics. Ensure that your SOC is equipped to quickly identify malware and compromise indicators through rapid collection of IoCs, such as VNC-related files, trojanized remote access tools, and C2 communications. Enhance forensic capabilities to track and remediate any damage caused by these advanced persistent threats, focusing on malware analysis and timeline reconstruction.
  • Deploy Multi-Factor Authentication (MFA): As part of your defensive measures, we strongly recommend implementing MFA across all critical accounts, especially those related to system administration and remote access. This will significantly reduce the likelihood of successful credential-based attacks, which are commonly used by Lazarus to maintain access to compromised networks.
MITRE FRAMEWORK
Tactic ID Technique
Execution T1106 Native API
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
Privilege Escalation T1548 Abuse Elevation Control Mechanism
DefenseEvasion T1036 Masquerading
DefenseEvasion T1497 Virtualization/Sandbox Evasion
DefenseEvasion T1562.001 Impair Defenses: Disable or Modify Tools
CredentialAccess T1056 Input Capture
Discovery T1010 Application Window Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1518.001 Software Discovery: Security Software Discovery
Command and Control T1071 Application Layer Protocol
Command and Control T1095 Non-Application Layer Protocol
Command and Control T1573 Encrypted Channel

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

US considers a ban on Chinese-made TP-Link routers after large-scale telecom breach
Amid a year marked by prominent Chinese cyberattacks, the **Salt Typhoon campaign** has emerged as particularly alarming. This operation, attributed to a Chinese government-linked hacking group identified as “Salt Typhoon,” was disclosed in late September. The hackers breached at least eight major U.S. telecommunications networks, including AT&T and Verizon, specifically targeting the cellphones of high-profile government officials and politicians, such as President-elect Donald Trump and Vice President-elect J.D. Vance.

Adding to the concern, U.S. officials revealed that as of December, efforts to fully expel the hackers from most compromised systems remained unsuccessful, with no clear timeline for resolution. The implications extend beyond targeted individuals, with CISA and allied agencies from Australia, New Zealand, and Canada cautioning that the campaign’s scope goes beyond U.S. networks. The hackers have also likely accessed general phone call and text metadata for over a million Americans, signaling a potentially vast and pervasive breach.

ETLM Assessment:
The Biden administration’s response has been limited, including moves to ban Chinese telecom firms and allocate funds to replace Chinese equipment.

However, transitioning to a new administration complicates efforts as the authorities from the US Commerce, Defense, and Justice departments have each opened investigations into whether Chinese-manufactured TP-Link home routers pose a national security risk, and are considering banning the devices in the US. The company holds around 65% of the US market for routers for homes and small businesses, and the routers are used by the Defense Department and other Federal agencies.

CYFIRMA experts emphasize the need for stronger cybersecurity measures as international relations analysts discuss offensive counter-strategies. The incident reflects escalating cyber threats, underscoring vulnerabilities in private-sector-led U.S. cybersecurity defenses and the growing need for a unified, robust response to counter these adversarial provocations.

4. Rise in Malware / Ransomware and Phishing

The Killsec Ransomware Impacts PT Pertamina

  • Attack Type: Ransomware
  • Target Industry: Energy
  • Target Geography: Indonesia
  • Ransomware: Killsec Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Indonesia; PT Pertamina(www[.]pertamina[.]com), was compromised by Killsec Ransomware. PT Pertamina (Persero) is Indonesia’s state-owned oil and natural gas corporation, playing a crucial role in the country’s energy sector. The company operates across the entire energy value chain, including exploration, production, refining, and distribution of oil and gas. Pertamina is also actively involved in developing new and renewable energy sources, such as geothermal, solar, and biofuels, to support national energy security and sustainability. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web

Relevancy & Insights:

  • KillSec is a ransomware group that has gained notoriety for its ransomware-as- a-service (RaaS) model and a series of high-profile attacks.
  • KillSec Ransomware employs various sophisticated methods to infiltrate systems, including phishing attacks, exploiting known vulnerabilities, and using custom malware to maintain persistence within compromised networks.
  • The KillSec Ransomware group primarily targets countries like India, the United States of America, Belgium, Brazil, and Romania.
  • The KillSec Ransomware group primarily targets industries, such as Financial Services, Health Care Providers, Software, Internet, and Computer Services.
  • Based on the Killsec Ransomware victims list from 1st Jan 2024 to 24th December 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Killsec Ransomware from 1st Jan 2024 to 24th December 2024 are as follows:

ETLM Assessment:
The emergence and evolution of KillSec’s Ransomware-as-a-Service (RaaS) platform represents a concerning development in the cybercrime landscape. By lowering the technical barrier to entry, this RaaS model allows less skilled individuals to engage in sophisticated ransomware attacks, potentially leading to an increase in such incidents globally.

According to CYFIRMA’s assessment, the KillSec ransomware group is expected to continue targeting a wide range of industries worldwide. Their advanced tactics, such as exploiting website vulnerabilities and conducting credential theft, make them a significant threat to organizations with inadequate security measures in place.

The RansomHub Ransomware Impacts Hashem Contracting & Trading Corp

  • Attack Type: Ransomware
  • Target Industry: Construction
  • Target Geography: Saudi Arabia
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Saudi Arabia; Hashem Contracting & Trading Corp (www[.]hashem-contracting[.]com), was compromised by RansomHub Ransomware. Hashem Contracting is a prominent construction and contracting company based in Saudi Arabia. The compromised data consists of confidential and sensitive information related to the organization. The total size of the compromised data is approximately 91GB.

Source: Dark Web

Relevancy & Insights:

  • RansomHub utilizes spear-phishing campaigns and social engineering tactics to gain access to victim networks. They have been noted for using voice scams with convincing accents to manipulate victims into resetting passwords.
  • The RansomHub Ransomware group employs tools like PsExec and PowerShell scripts to execute commands remotely on compromised machines. They use Python scripts to establish SSH connections and transfer the encryptor via Secure File Transfer Protocol (SFTP).
  • The RansomHub Ransomware group primarily targets countries like the United States of America, the United Kingdom, Brazil, Italy, and Australia.
  • The RansomHub Ransomware group primarily targets industries, such as Heavy Construction, Business Support Services, Specialized Consumer Services, Software, and Health Care Providers.
  • Based on the RansomHub Ransomware victims list from 1st Jan 2024 to 24th December 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by RansomHub Ransomware from 1st Jan 2024 to 24th December 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Hashem Contracting & Trading Corp, a prominent Construction company from Saudi Arabia, highlighting RansomHub’s significant threat presence in the Middle East.

5. Vulnerabilities and Exploits

Vulnerability in LDAP Account Manager

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Server application
  • Vulnerability: CVE-2024-52792
  • CVSS Base Score: 6.5 Source
  • Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Summary: The vulnerability allows a remote attacker to compromise the affected system.

Relevancy & Insights:
The vulnerability exists due to an input validation error when processing directory traversal sequences in mainmanage.php and confmain.php scripts.

Impact:
A remote user can modify configuration variables, including the log file path, and execute arbitrary PHP code on the system.

Affected Products:
https[:]//github[.]com/LDAPAccountManager/lam/security/advisories/GHSA-6cp9-j5r7- xhcc

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in LDAP Account Manager can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of LDAP Account Manager is crucial for maintaining the integrity and protection of users’ data worldwide.

Therefore, addressing these vulnerabilities is essential to safeguarding account management activities in LDAP directories, providing a user-friendly and abstract view of directory structures, across different geographic regions and sectors.

6. Latest Cyber – Attacks, Incidents, and Breaches

8Base Ransomware Attacked and Published the Data of the ISEKI and CO., LTD

  • Threat Actor: 8Base Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary
Recently, we observed that 8Base Ransomware attacked and published the data of ISEKI and CO., LTD (www[.]iseki[.]co[.]jp) on its dark web website. ISEKI & CO., LTD. is a leading Japanese manufacturer specializing in agricultural machinery, particularly known for its innovations in rice cultivation and other farming equipment. Iseki and Co. contribute to creating a prosperous society by providing products and services that delight customers. The data leak caused by the ransomware attack includes invoices, receipts, accounting records, personal data, certificates, employment contracts, a large volume of confidential information, confidentiality agreements, personal files, and other sensitive documents.

Source: Dark Web

Relevancy & Insights:

  • 8Base Ransomware typically infiltrates systems through phishing emails and leveraging initial access brokers who sell stolen credentials on the dark web. 8Base Ransomware group uses AES-256 encryption to secure files and adds the .8base extension to the encrypted data.
  • 8Base Ransomware uses tools like RClone for data exfiltration and employs various methods to evade detection, including disabling Windows Defender and deleting shadow copies

ETLM Assessment:
8Base ransomware continues to pose a significant threat to organizations globally, particularly targeting SMBs across various sectors. Its double extortion tactics and sophisticated evasion techniques highlight the need for robust cybersecurity measures. Organizations are advised to implement strong email filtering, conduct regular security training for employees, and maintain updated backups to mitigate risks associated with this evolving threat actor. Continuous monitoring of emerging trends related to 8Base will be essential for effective incident response strategies.

7. Data Leaks

Japanese Mining Company Access Advertised on a Leak Site

  • Attack Type: Access Sale
  • Target Industry: Mining
  • Target Geography: Japan
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary
The CYFIRMA Research team discovered an access sale involving a Japanese mining company on an underground forum. The access being sold includes SSH, GitHub, and GitLab credentials, with a listed price of $10,000 in XMR (Monero). The sale has been attributed to a threat actor known as “IntelBroker.”

Source: Underground forums

The Ministry of Finance (MOF) Thailand Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Thailand
  • Target Industry: Government
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a data leak related to the Ministry of Finance (MOF) of Thailand in an underground forum. The Ministry of Finance (MOF) in Thailand is a pivotal cabinet ministry responsible for managing the nation’s public finances, taxation, treasury, government properties, and revenue- generating enterprises. It also oversees government monopolies and provides loan guarantees for governmental agencies, financial institutions, and state enterprises. The compromised data includes sensitive and confidential information related to the Ministry of Finance, available in XLSX, CSV, TXT, ZIP, 7Z, and PDF formats. The total size of the breached data amounts to 5.9 TB. The breach has been linked to a threat actor identified as “Ssuefddub.”

Source: Underground forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data.

Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
“IntelBroker” represents a significant threat within the cybersecurity landscape due to its sophisticated tactics and high-profile targets. Organizations are advised to implement robust security measures such as access control, regular patch management, and employee training to mitigate risks associated with such threat actors. Continuous monitoring of emerging threats like IntelBroker will be essential for effective incident response strategies in the evolving cyber threat environment.

Recommendations: Enhance the cybersecurity posture by:

  1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  2. Ensure proper database configuration to mitigate the risk of database-related
    attacks.
  3. Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a data leak related to 6ixpensary (https[:]//6ixpensary[.]io) in an underground forum. 6ixpensary is an online cannabis dispensary based in Toronto, Ontario, Canada. The platform specializes in the sale of various cannabis products, catering to both recreational and medicinal users.

The compromised data consists of an ID, username, email address, first name, last name, registration date, user nice name, display name, nickname, user role, hashed password, and activation key. The breach has been linked to a threat actor identified as “888.”

Source: Underground Forums

ETLM Assessment
The threat actor group “888” has gained notoriety in underground forums, emerging as a significant force in cybercrime, primarily motivated by financial gains. This group has already targeted a wide range of industries, including government, industrial conglomerates, retail, staffing, business consulting, banking, e-commerce, and utilities. Their diverse targeting patterns suggest that they plan to broaden their scope and potentially expand their attacks to additional industries worldwide in the future.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Delay a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.